return CKM_API_SUCCESS;
}
-int verifyBinaryData(Crypto::Data &input)
+int verifyBinaryData(const Crypto::Data &input)
{
Crypto::Data dummy;
return toBinaryData(input, dummy);
return CKM_API_SUCCESS;
}
-int loadAppKey(UserData &handler, const ClientId &owner, bool keyRequired = true)
-{
- if (!handler.crypto.haveKey(owner)) {
- RawBuffer wrappedDEK;
- auto wrappedDEKOptional = handler.database.getKey(owner);
-
- if (!wrappedDEKOptional) {
- if (keyRequired) {
- LogError("No key for given owner in database");
- return CKM_API_ERROR_DB_ERROR;
- }
- LogDebug("No Key in database found. Generating new one for client: " << owner);
- wrappedDEK = handler.keyProvider.generateDEK(owner);
- handler.database.saveKey(owner, wrappedDEK);
- } else {
- wrappedDEK = *wrappedDEKOptional;
- }
-
- handler.crypto.pushKey(owner, handler.keyProvider.getPureDEK(wrappedDEK));
- }
-
- return CKM_API_SUCCESS;
-}
-
} // namespace
const uid_t CKMLogic::SYSTEM_DB_UID = 0;
}));
}
-int CKMLogic::checkSaveConditions(
- const Credentials &accessorCred,
- UserData &handler,
- const Name &name,
- const ClientId &owner)
-{
- // verify name and client are correct
- if (!isNameValid(name) || !isClientValid(owner)) {
- LogDebug("Invalid parameter passed to key-manager");
- return CKM_API_ERROR_INPUT_PARAM;
- }
-
- // check if accessor is allowed to save owner's items
- int access_ec = m_accessControl.canSave(accessorCred, owner);
-
- if (access_ec != CKM_API_SUCCESS) {
- LogDebug("accessor " << accessorCred.client << " can not save rows owned by " <<
- owner);
- return access_ec;
- }
-
- // check if not a duplicate
- if (handler.database.isNameOwnerPresent(name, owner))
- return CKM_API_ERROR_DB_ALIAS_EXISTS;
-
- // generate (if needed) and load the app key
- loadAppKey(handler, owner, false);
-
- return CKM_API_SUCCESS;
-}
-
-DB::Row CKMLogic::createEncryptedRow(
- CryptoLogic &crypto,
- const Name &name,
- const ClientId &owner,
- const Crypto::Data &data,
- const Policy &policy,
- const RawBuffer &hash)
-{
- Crypto::GStore &store = m_decider.getStore(data.type, policy);
-
- // do not encrypt data with password during cc_mode on
- Token token = store.import(data,
- m_accessControl.isCCMode() ? "" : policy.password,
- Crypto::EncryptionParams(), hash);
- DB::Row row(std::move(token), name, owner,
- static_cast<int>(policy.extractable));
- crypto.encryptRow(row);
- return row;
-}
-
int CKMLogic::verifyAndSaveDataHelper(
const Credentials &cred,
const Name &name,
return SerializeMessage(msgId, retCode, data.type);
}
-int CKMLogic::extractPKCS12Data(
- CryptoLogic &crypto,
- const Name &name,
- const ClientId &owner,
- const PKCS12Serializable &pkcs,
- const PolicySerializable &keyPolicy,
- const PolicySerializable &certPolicy,
- DB::RowVector &output,
- const Credentials &cred)
-{
- // private key is mandatory
- auto key = pkcs.getKey();
-
- if (!key) {
- LogError("Failed to get private key from pkcs");
- return CKM_API_ERROR_INVALID_FORMAT;
- }
-
- auto digest = CryptoLogic::makeHash(name, owner, cred.clientUid);
- if (digest.empty())
- return CKM_API_ERROR_HASH_ERROR;
-
- Crypto::Data keyData(DataType(key->getType()), key->getDER());
- int retCode = verifyBinaryData(keyData);
-
- if (retCode != CKM_API_SUCCESS)
- return retCode;
-
- output.push_back(createEncryptedRow(crypto, name, owner, keyData,
- keyPolicy, digest));
-
- // certificate is mandatory
- auto cert = pkcs.getCertificate();
-
- if (!cert) {
- LogError("Failed to get certificate from pkcs");
- return CKM_API_ERROR_INVALID_FORMAT;
- }
-
- Crypto::Data certData(DataType::CERTIFICATE, cert->getDER());
- retCode = verifyBinaryData(certData);
-
- if (retCode != CKM_API_SUCCESS)
- return retCode;
-
- output.push_back(createEncryptedRow(crypto, name, owner, certData,
- certPolicy, digest));
-
- // CA cert chain
- unsigned int cert_index = 0;
-
- for (const auto &ca : pkcs.getCaCertificateShPtrVector()) {
- Crypto::Data caCertData(DataType::getChainDatatype(cert_index ++),
- ca->getDER());
- int retCode = verifyBinaryData(caCertData);
-
- if (retCode != CKM_API_SUCCESS)
- return retCode;
-
- output.push_back(createEncryptedRow(crypto, name, owner, caCertData,
- certPolicy, digest));
- }
-
- return CKM_API_SUCCESS;
-}
-
RawBuffer CKMLogic::savePKCS12(
const Credentials &cred,
int msgId,
}));
}
-
int CKMLogic::removeDataHelper(
const Credentials &cred,
const Name &name,
const ClientId &owner)
{
- auto &handler = selectDatabase(cred, owner);
-
- if (!isNameValid(name) || !isClientValid(owner)) {
- LogDebug("Invalid owner or name format");
- return CKM_API_ERROR_INPUT_PARAM;
- }
-
- DB::Crypto::Transaction transaction(&handler.database);
-
- // read and check permissions
- PermissionMaskOptional permissionRowOpt =
- handler.database.getPermissionRow(name, owner, cred.client);
- int retCode = m_accessControl.canDelete(cred,
- toPermissionMask(permissionRowOpt));
+ auto [dbOp, permission, retCode] = beginAndGetPerm(cred, name, owner);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+ retCode = m_accessControl.canDelete(cred, permission);
if (retCode != CKM_API_SUCCESS) {
LogWarning("access control check result: " << retCode);
return retCode;
// get all matching rows
DB::RowVector rows;
- handler.database.getRows(name, owner, DataType::DB_FIRST,
- DataType::DB_LAST, rows);
-
+ dbOp.database().getRows(name, owner, DataType::DB_FIRST, DataType::DB_LAST, rows);
if (rows.empty()) {
LogDebug("No row for given name and owner");
return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
}
- // load app key if needed
- retCode = loadAppKey(handler, rows.front().owner);
-
- if (CKM_API_SUCCESS != retCode)
+ retCode = dbOp.loadAppKey();
+ if (retCode != CKM_API_SUCCESS)
return retCode;
// destroy it in store
for (auto &r : rows) {
try {
- handler.crypto.decryptRow(Password(), r);
+ dbOp.handler().crypto.decryptRow(Password(), r);
m_decider.getStore(r).destroy(r);
} catch (const Exc::AuthenticationFailed &) {
LogDebug("Authentication failed when removing data. Ignored.");
}
// delete row in db
- handler.database.deleteRow(name, owner);
- transaction.commit();
+ dbOp.database().deleteRow(name, owner);
+ dbOp.transaction().commit();
return CKM_API_SUCCESS;
}
int CKMLogic::checkDataPermissionsHelper(const Credentials &accessorCred,
- const Name &name,
- const ClientId &owner,
const DB::Row &row,
bool exportFlag,
- DB::Crypto &database)
+ const PermissionMask& permission)
{
- PermissionMaskOptional permissionRowOpt =
- database.getPermissionRow(name, owner, accessorCred.client);
-
if (exportFlag)
- return m_accessControl.canExport(accessorCred,
- row,
- toPermissionMask(permissionRowOpt));
+ return m_accessControl.canExport(accessorCred, row, permission);
- return m_accessControl.canRead(accessorCred,
- toPermissionMask(permissionRowOpt));
+ return m_accessControl.canRead(accessorCred, permission);
}
Crypto::GObjUPtr CKMLogic::rowToObject(
const Password &password,
Crypto::GObjUPtrVector &objs)
{
- auto &handler = selectDatabase(cred, owner);
-
- if (!isNameValid(name) || !isClientValid(owner))
- return CKM_API_ERROR_INPUT_PARAM;
+ auto [dbOp, permission, retCode] = beginAndGetPerm(cred, name, owner);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
// read rows
- DB::Crypto::Transaction transaction(&handler.database);
DB::RowVector rows;
- int retCode = readMultiRow(name, owner, dataType, handler.database, rows);
-
+ retCode = readMultiRow(name, owner, dataType, dbOp.database(), rows);
if (CKM_API_SUCCESS != retCode)
return retCode;
DB::Row &firstRow = rows.at(0);
// check access rights
- retCode = checkDataPermissionsHelper(cred, name, owner, firstRow,
- exportFlag, handler.database);
-
+ retCode = checkDataPermissionsHelper(cred, firstRow, exportFlag, permission);
if (CKM_API_SUCCESS != retCode)
return retCode;
- // load app key if needed
- retCode = loadAppKey(handler, firstRow.owner);
+ // for multiple objects add type as hash input (see pkcs12)
+ bool multiple = rows.size() > 1;
- if (CKM_API_SUCCESS != retCode)
- return retCode;
+ RawBuffer digest;
- auto digest = CryptoLogic::makeHash(name, owner, cred.clientUid);
- if (digest.empty())
- return CKM_API_ERROR_HASH_ERROR;
+ retCode = dbOp.loadAppKey();
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
// decrypt row
- for (auto &row : rows)
- objs.push_back(rowToObject(handler, std::move(row), password, digest));
+ for (auto &row : rows) {
+ if (multiple)
+ digest = CryptoLogic::makeHash(name, owner, cred.clientUid, row.dataType);
+ else
+ digest = CryptoLogic::makeHash(name, owner, cred.clientUid);
+
+ if (digest.empty())
+ return CKM_API_ERROR_HASH_ERROR;
+
+ objs.push_back(rowToObject(dbOp.handler(), std::move(row), password, digest));
+ }
// rowToObject may modify db
- transaction.commit();
+ dbOp.transaction().commit();
return CKM_API_SUCCESS;
}
Crypto::GObjUPtr &obj,
DataType &objDataType)
{
- auto &handler = selectDatabase(cred, owner);
-
- if (!isNameValid(name) || !isClientValid(owner))
- return CKM_API_ERROR_INPUT_PARAM;
+ auto [dbOp, permission, retCode] = beginAndGetPerm(cred, name, owner);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
- // read row
- DB::Crypto::Transaction transaction(&handler.database);
DB::Row row;
- int retCode = readSingleRow(name, owner, dataType, handler.database, row);
-
+ retCode = readSingleRow(name, owner, dataType, dbOp.database(), row);
if (CKM_API_SUCCESS != retCode)
return retCode;
- objDataType = row.dataType;
-
- // check access rights
- retCode = checkDataPermissionsHelper(cred, name, owner, row, exportFlag,
- handler.database);
-
- if (CKM_API_SUCCESS != retCode)
+ retCode = dbOp.loadAppKey();
+ if (retCode != CKM_API_SUCCESS)
return retCode;
- // load app key if needed
- retCode = loadAppKey(handler, row.owner);
+ objDataType = row.dataType;
+ // check access rights
+ retCode = checkDataPermissionsHelper(cred, row, exportFlag, permission);
if (CKM_API_SUCCESS != retCode)
return retCode;
if (digest.empty())
return CKM_API_ERROR_HASH_ERROR;
- obj = rowToObject(handler, std::move(row), password, digest);
+ obj = rowToObject(dbOp.handler(), std::move(row), password, digest);
// rowToObject may modify db
- transaction.commit();
+ dbOp.transaction().commit();
return CKM_API_SUCCESS;
}
}
// Inital values are always imported with root credentials. Client id is not important.
- Credentials rootCred(0, "");
- ClientId owner(CLIENT_ID_SYSTEM);
- auto &handler = selectDatabase(rootCred, CLIENT_ID_SYSTEM);
+ Credentials rootCred(0, "whatever");
+ ClientId owner(CLIENT_ID_SYSTEM);
- // check if save is possible
- DB::Crypto::Transaction transaction(&handler.database);
- int retCode = checkSaveConditions(rootCred, handler, name, CLIENT_ID_SYSTEM);
+ auto [dbOp, digest, retCode] = beginSaveAndGetHash(rootCred, name, owner);
if (retCode != CKM_API_SUCCESS)
return retCode;
Crypto::GStore &store = m_decider.getStore(data.type, policy, !encParams.iv.empty());
Token token;
-
- auto digest = CryptoLogic::makeHash(name, owner, rootCred.clientUid);
- if (digest.empty())
- return CKM_API_ERROR_HASH_ERROR;
-
if (encParams.iv.empty()) {
// Data are not encrypted, let's try to verify them
Crypto::Data binaryData;
encParams, digest);
}
- DB::Row row(std::move(token), name, CLIENT_ID_SYSTEM,
- static_cast<int>(policy.extractable));
- handler.crypto.encryptRow(row);
-
- handler.database.saveRow(row);
- transaction.commit();
+ dbOp.finalize(std::move(token), policy);
return CKM_API_SUCCESS;
});
const Crypto::Data &data,
const PolicySerializable &policy)
{
- auto &handler = selectDatabase(cred, owner);
-
- // check if save is possible
- DB::Crypto::Transaction transaction(&handler.database);
- int retCode = checkSaveConditions(cred, handler, name, owner);
- if (retCode != CKM_API_SUCCESS)
- return retCode;
-
- auto digest = CryptoLogic::makeHash(name, owner, cred.clientUid);
- if (digest.empty())
- return CKM_API_ERROR_HASH_ERROR;
+ auto [dbOp, digest, ret] = beginSaveAndGetHash(cred, name, owner);
+ if (ret != CKM_API_SUCCESS)
+ return ret;
- // save the data
- DB::Row encryptedRow = createEncryptedRow(handler.crypto, name, owner,
- data, policy, digest);
- handler.database.saveRow(encryptedRow);
+ Crypto::GStore &store = m_decider.getStore(data.type, policy);
- transaction.commit();
+ // do not encrypt data with password during cc_mode on
+ Token token = store.import(data,
+ m_accessControl.isCCMode() ? "" : policy.password,
+ Crypto::EncryptionParams(), digest);
+ dbOp.finalize(std::move(token), policy);
return CKM_API_SUCCESS;
}
const PolicySerializable &keyPolicy,
const PolicySerializable &certPolicy)
{
- auto &handler = selectDatabase(cred, owner);
-
- // check if save is possible
- DB::Crypto::Transaction transaction(&handler.database);
- int retCode = checkSaveConditions(cred, handler, name, owner);
+ auto [dbOp, retCode] = beginSave(cred, name, owner);
if (retCode != CKM_API_SUCCESS)
return retCode;
// extract and encrypt the data
DB::RowVector encryptedRows;
- retCode = extractPKCS12Data(handler.crypto, name, owner, pkcs, keyPolicy,
- certPolicy, encryptedRows, cred);
- if (retCode != CKM_API_SUCCESS)
- return retCode;
+ auto import = [&](const Crypto::Data &data, const Policy& policy){
+ retCode = verifyBinaryData(data);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
- // save the data
- handler.database.saveRows(name, owner, encryptedRows);
- transaction.commit();
+ auto digest = CryptoLogic::makeHash(name, owner, cred.clientUid, data.type);
+ if (digest.empty())
+ return CKM_API_ERROR_HASH_ERROR;
- return CKM_API_SUCCESS;
-}
+ Crypto::GStore &store = m_decider.getStore(data.type, policy);
+ // do not encrypt data with password during cc_mode on
+ Token token = store.import(data,
+ m_accessControl.isCCMode() ? "" : policy.password,
+ Crypto::EncryptionParams(), digest);
-int CKMLogic::createKeyAESHelper(
- const Credentials &cred,
- const int size,
- const Name &name,
- const ClientId &owner,
- const PolicySerializable &policy)
-{
- auto &handler = selectDatabase(cred, owner);
+ encryptedRows.push_back(dbOp.encryptOne(std::move(token), policy));
+ return CKM_API_SUCCESS;
+ };
- // check if save is possible
- DB::Crypto::Transaction transaction(&handler.database);
- int retCode = checkSaveConditions(cred, handler, name, owner);
+ // private key is mandatory
+ auto key = pkcs.getKey();
+ if (!key) {
+ LogError("Failed to get private key from pkcs");
+ return CKM_API_ERROR_INVALID_FORMAT;
+ }
+
+ Crypto::Data keyData(DataType(key->getType()), key->getDER());
+ retCode = import(keyData, keyPolicy);
if (retCode != CKM_API_SUCCESS)
return retCode;
- auto digest = CryptoLogic::makeHash(name, owner, cred.clientUid);
- if (digest.empty())
- return CKM_API_ERROR_HASH_ERROR;
+ // certificate is mandatory
+ auto cert = pkcs.getCertificate();
+ if (!cert) {
+ LogError("Failed to get certificate from pkcs");
+ return CKM_API_ERROR_INVALID_FORMAT;
+ }
- // create key in store
- CryptoAlgorithm keyGenAlgorithm;
- keyGenAlgorithm.setParam(ParamName::ALGO_TYPE, AlgoType::AES_GEN);
- keyGenAlgorithm.setParam(ParamName::GEN_KEY_LEN, size);
- Token key = m_decider.getStore(DataType::KEY_AES,
- policy).generateSKey(keyGenAlgorithm, policy.password, digest);
+ Crypto::Data certData(DataType::CERTIFICATE, cert->getDER());
+ retCode = import(certData, certPolicy);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+
+ // CA cert chain
+ unsigned int cert_index = 0;
+ for (const auto &ca : pkcs.getCaCertificateShPtrVector()) {
+ Crypto::Data caCertData(DataType::getChainDatatype(cert_index ++), ca->getDER());
+ retCode = import(caCertData, certPolicy);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+ }
// save the data
- DB::Row row(std::move(key), name, owner,
- static_cast<int>(policy.extractable));
- handler.crypto.encryptRow(row);
+ dbOp.database().saveRows(name, owner, encryptedRows);
+ dbOp.transaction().commit();
+
+ return CKM_API_SUCCESS;
+}
+
+int CKMLogic::DBOperation::loadAppKey(bool keyRequired)
+{
+ if (!m_handler.crypto.haveKey(m_owner)) {
+ RawBuffer wrappedDEK;
+ auto wrappedDEKOptional = m_handler.database.getKey(m_owner);
+
+ if (!wrappedDEKOptional) {
+ if (keyRequired) {
+ LogError("No key for given owner in database");
+ return CKM_API_ERROR_DB_ERROR;
+ }
+ LogDebug("No Key in database found. Generating new one for client: " << m_owner);
+ wrappedDEK = m_handler.keyProvider.generateDEK(m_owner);
+ m_handler.database.saveKey(m_owner, wrappedDEK);
+ } else {
+ wrappedDEK = *wrappedDEKOptional;
+ }
- handler.database.saveRow(row);
+ m_handler.crypto.pushKey(m_owner, m_handler.keyProvider.getPureDEK(wrappedDEK));
+ }
- transaction.commit();
return CKM_API_SUCCESS;
}
-int CKMLogic::createKeyPairHelper(
+std::tuple<CKMLogic::DBOperation, int> CKMLogic::begin(
const Credentials &cred,
- const CryptoAlgorithmSerializable &keyGenParams,
- const Name &namePrivate,
- const ClientId &ownerPrivate,
- const Name &namePublic,
- const ClientId &ownerPublic,
- const PolicySerializable &policyPrivate,
- const PolicySerializable &policyPublic)
+ const Name &name,
+ const ClientId &owner)
{
- auto &handlerPriv = selectDatabase(cred, ownerPrivate);
- auto &handlerPub = selectDatabase(cred, ownerPublic);
-
- AlgoType keyType = AlgoType::RSA_GEN;
+ auto &handler = selectDatabase(cred, owner);
+ DBOperation op(handler, name, owner);
- if (!keyGenParams.getParam(ParamName::ALGO_TYPE, keyType))
- ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE not found.");
+ if (cred.client.empty() || !isClientValid(cred.client) ||
+ !isNameValid(name) || !isClientValid(owner))
+ return std::make_tuple(std::move(op), CKM_API_ERROR_INPUT_PARAM);
- const auto dtIt = ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP.find(keyType);
- if (dtIt == ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP.end())
- ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE with wrong value.");
- const DataTypePair& dt = dtIt->second;
+ return std::make_tuple(std::move(op), CKM_API_SUCCESS);
+}
- if (policyPrivate.backend != policyPublic.backend)
- ThrowErr(Exc::InputParam, "Error, key pair must be supported with the same backend.");
+std::tuple<CKMLogic::DBOperation, PermissionMask, int> CKMLogic::beginAndGetPerm(
+ const Credentials &cred,
+ const Name &name,
+ const ClientId &owner)
+{
+ PermissionMask permission;
+ auto [dbOp, retCode] = begin(cred, name, owner);
+ if (retCode == CKM_API_SUCCESS)
+ permission = toPermissionMask(dbOp.database().getPermissionRow(name, owner, cred.client));
- bool exportable = policyPrivate.extractable || policyPublic.extractable;
- Policy lessRestricted(Password(), exportable, policyPrivate.backend);
+ return std::make_tuple(std::move(dbOp), permission, retCode);
+}
- auto digestPriv = CryptoLogic::makeHash(namePrivate, ownerPrivate, cred.clientUid);
- if (digestPriv.empty())
- return CKM_API_ERROR_HASH_ERROR;
+std::tuple<CKMLogic::DBOperation, int> CKMLogic::beginSave(
+ const Credentials &cred,
+ const Name &name,
+ const ClientId &owner)
+{
+ auto [dbOp, retCode] = begin(cred, name, owner);
+ if (retCode != CKM_API_SUCCESS)
+ return std::make_tuple(std::move(dbOp), retCode);
- auto digestPub = CryptoLogic::makeHash(namePublic, ownerPublic, cred.clientUid);
- if (digestPub.empty())
- return CKM_API_ERROR_HASH_ERROR;
+ retCode = dbOp.loadAppKey(false);
+ if (retCode != CKM_API_SUCCESS)
+ return std::make_tuple(std::move(dbOp), retCode);
- TokenPair keys = m_decider.getStore(policyPrivate, dt.first, dt.second).generateAKey(keyGenParams,
- policyPrivate.password,
- policyPublic.password,
- digestPriv, digestPub);
+ // check if accessor is allowed to save owner's items
+ retCode = m_accessControl.canSave(cred, owner);
+ if (retCode != CKM_API_SUCCESS) {
+ LogDebug("accessor " << cred.client << " can not save rows owned by " << owner);
+ return std::make_tuple(std::move(dbOp), retCode);
+ }
- DB::Crypto::Transaction transactionPriv(&handlerPriv.database);
- // in case the same database is used for private and public - the second
- // transaction will not be executed
- DB::Crypto::Transaction transactionPub(&handlerPub.database);
+ if (dbOp.database().isNameOwnerPresent(name, owner))
+ retCode = CKM_API_ERROR_DB_ALIAS_EXISTS;
- int retCode;
- retCode = checkSaveConditions(cred, handlerPriv, namePrivate, ownerPrivate);
- if (CKM_API_SUCCESS != retCode)
- return retCode;
+ return std::make_tuple(std::move(dbOp), retCode);
+}
- retCode = checkSaveConditions(cred, handlerPub, namePublic, ownerPublic);
- if (CKM_API_SUCCESS != retCode)
- return retCode;
+std::tuple<CKMLogic::DBOperation, RawBuffer, int> CKMLogic::beginSaveAndGetHash(
+ const Credentials &cred,
+ const Name &name,
+ const ClientId &owner)
+{
+ RawBuffer digest;
+ auto [dbOp, retCode] = beginSave(cred, name, owner);
+ if (retCode == CKM_API_SUCCESS) {
+ digest = CryptoLogic::makeHash(name, owner, cred.clientUid);
+ if (digest.empty())
+ retCode = CKM_API_ERROR_HASH_ERROR;
+ }
- // save the data
- DB::Row rowPrv(std::move(keys.first), namePrivate, ownerPrivate,
- static_cast<int>(policyPrivate.extractable));
- handlerPriv.crypto.encryptRow(rowPrv);
- handlerPriv.database.saveRow(rowPrv);
-
- DB::Row rowPub(std::move(keys.second), namePublic, ownerPublic,
- static_cast<int>(policyPublic.extractable));
- handlerPub.crypto.encryptRow(rowPub);
- handlerPub.database.saveRow(rowPub);
-
- transactionPub.commit();
- transactionPriv.commit();
- return CKM_API_SUCCESS;
+ return std::make_tuple(std::move(dbOp), std::move(digest), retCode);
}
RawBuffer CKMLogic::createKeyPair(
const Credentials &cred,
int msgId,
const CryptoAlgorithmSerializable &keyGenParams,
- const Name &namePrivate,
- const ClientId &ownerPrivate,
- const Name &namePublic,
- const ClientId &ownerPublic,
- const PolicySerializable &policyPrivate,
- const PolicySerializable &policyPublic)
+ const Name &namePrv,
+ const ClientId &ownerPrv,
+ const Name &namePub,
+ const ClientId &ownerPub,
+ const PolicySerializable &policyPrv,
+ const PolicySerializable &policyPub)
{
return SerializeMessage(msgId, tryRet([&] {
- return createKeyPairHelper(cred, keyGenParams, namePrivate, ownerPrivate,
- namePublic, ownerPublic, policyPrivate, policyPublic);
+ auto [dbOpPrv, digestPrv, retCodePrv] = beginSaveAndGetHash(cred, namePrv, ownerPrv);
+ if (retCodePrv != CKM_API_SUCCESS)
+ return retCodePrv;
+
+ auto [dbOpPub, digestPub, retCodePub] = beginSaveAndGetHash(cred, namePub, ownerPub);
+ if (retCodePub != CKM_API_SUCCESS)
+ return retCodePub;
+
+ AlgoType keyType = AlgoType::RSA_GEN;
+
+ if (!keyGenParams.getParam(ParamName::ALGO_TYPE, keyType))
+ ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE not found.");
+
+ const auto dtIt = ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP.find(keyType);
+ if (dtIt == ALGO_TYPE_TO_DATA_TYPE_PAIR_MAP.end())
+ ThrowErr(Exc::InputParam, "Error, parameter ALGO_TYPE with wrong value.");
+ const DataTypePair& dt = dtIt->second;
+
+ if (policyPrv.backend != policyPub.backend)
+ ThrowErr(Exc::InputParam, "Error, key pair must be supported with the same backend.");
+
+ bool exportable = policyPrv.extractable || policyPub.extractable;
+ Policy lessRestricted(Password(), exportable, policyPrv.backend);
+
+ TokenPair keys = m_decider.getStore(policyPrv, dt.first, dt.second).generateAKey(
+ keyGenParams,
+ policyPrv.password,
+ policyPub.password,
+ digestPrv, digestPub);
+
+ dbOpPrv.finalize(std::move(keys.first), policyPrv);
+ dbOpPub.finalize(std::move(keys.second), policyPub);
+
+ return CKM_API_SUCCESS;
}));
}
try {
retCode = tryRet([&] {
- return createKeyAESHelper(cred, size, name, owner, policy);
+ auto [dbOp, digest, retCode] = beginSaveAndGetHash(cred, name, owner);
+ if (retCode != CKM_API_SUCCESS)
+ return retCode;
+
+ // create key in store
+ CryptoAlgorithm keyGenAlgorithm;
+ keyGenAlgorithm.setParam(ParamName::ALGO_TYPE, AlgoType::AES_GEN);
+ keyGenAlgorithm.setParam(ParamName::GEN_KEY_LEN, size);
+ Token key = m_decider.getStore(DataType::KEY_AES, policy).generateSKey(keyGenAlgorithm,
+ policy.password,
+ digest);
+
+ dbOp.finalize(std::move(key), policy);
+ return CKM_API_SUCCESS;
});
} catch (std::invalid_argument &e) {
LogDebug("invalid argument error: " << e.what());
const ClientId &accessor, // who will get the access
const PermissionMask permissionMask)
{
- auto &handler = selectDatabase(cred, owner);
-
- // we don't know the client
- if (cred.client.empty() || !isClientValid(cred.client))
- return CKM_API_ERROR_INPUT_PARAM;
-
- // verify name and owner are correct
- if (!isNameValid(name) || !isClientValid(owner) ||
- !isClientValid(accessor))
- return CKM_API_ERROR_INPUT_PARAM;
+ auto [dbOp, retCode] = beginSave(cred, name, owner);
+ // Normally, saving requires alias to be unoccupied. When changing permissions it's the opposite
+ if (retCode != CKM_API_ERROR_DB_ALIAS_EXISTS) {
+ if (retCode == CKM_API_SUCCESS)
+ retCode = CKM_API_ERROR_DB_ALIAS_UNKNOWN;
+ return retCode;
+ }
// currently we don't support modification of owner's permissions to his own rows
if (owner == accessor)
return CKM_API_ERROR_INPUT_PARAM;
// system database does not support write/remove permissions
- if ((0 == owner.compare(CLIENT_ID_SYSTEM)) &&
- (permissionMask & Permission::REMOVE))
+ if ((0 == owner.compare(CLIENT_ID_SYSTEM)) && (permissionMask & Permission::REMOVE))
return CKM_API_ERROR_INPUT_PARAM;
- // can the client modify permissions to owner's row?
- int retCode = m_accessControl.canModify(cred, owner);
-
- if (retCode != CKM_API_SUCCESS)
- return retCode;
-
- DB::Crypto::Transaction transaction(&handler.database);
-
- if (!handler.database.isNameOwnerPresent(name, owner))
- return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
-
// set permissions to the row owned by owner for accessor
- handler.database.setPermission(name, owner, accessor, permissionMask);
- transaction.commit();
+ dbOp.database().setPermission(name, owner, accessor, permissionMask);
+ dbOp.transaction().commit();
return CKM_API_SUCCESS;
}
projects / platform / core / security / key-manager.git / commitdiff