if (0 == m_userDataMap.count(user) || !(m_userDataMap[user].keyProvider.isInitialized())) {
auto &handle = m_userDataMap[user];
FileSystem fs(user);
- auto wrappedDomainKEK = fs.getDomainKEK();
+ auto wrappedDomainKEK = fs.getDKEK();
if (wrappedDomainKEK.empty()) {
wrappedDomainKEK = KeyProvider::generateDomainKEK(std::to_string(user), password);
- fs.saveDomainKEK(wrappedDomainKEK);
+ fs.saveDKEK(wrappedDomainKEK);
}
handle.keyProvider = KeyProvider(wrappedDomainKEK, password);
- RawBuffer key = handle.keyProvider.getPureDomainKEK();
+ auto wrappedDatabaseDEK = fs.getDBDEK();
+
+ if (wrappedDatabaseDEK.empty()) {
+ wrappedDatabaseDEK = handle.keyProvider.generateDEK(std::to_string(user));
+ fs.saveDBDEK(wrappedDatabaseDEK);
+ }
+
+ RawBuffer key = handle.keyProvider.getPureDEK(wrappedDatabaseDEK);
handle.database = DBCrypto(fs.getDBPath(), key);
handle.crypto = CryptoLogic();
// TODO wipe key
int retCode = CKM_API_SUCCESS;
try {
FileSystem fs(user);
- auto wrappedDomainKEK = fs.getDomainKEK();
+ auto wrappedDomainKEK = fs.getDKEK();
if (wrappedDomainKEK.empty()) {
retCode = CKM_API_ERROR_BAD_REQUEST;
} else {
wrappedDomainKEK = KeyProvider::reencrypt(wrappedDomainKEK, oldPassword, newPassword);
- fs.saveDomainKEK(wrappedDomainKEK);
+ fs.saveDKEK(wrappedDomainKEK);
}
} catch (const KeyProvider::Exception::PassWordError &e) {
LogError("Incorrect Password " << e.GetMessage());
} else {
auto &handler = m_userDataMap[user];
FileSystem fs(user);
- fs.saveDomainKEK(handler.keyProvider.getWrappedDomainKEK(newPassword));
+ fs.saveDKEK(handler.keyProvider.getWrappedDomainKEK(newPassword));
}
MessageBuffer response;
static const std::string CKM_DATA_PATH = "/opt/data/ckm/";
static const std::string CKM_KEY_PREFIX = "key-";
+static const std::string CKM_DB_KEY_PREFIX = "db-key-";
static const std::string CKM_DB_PREFIX = "db-";
} // namespace anonymous
return ss.str();
}
-RawBuffer FileSystem::getDomainKEK() const
-{
- std::ifstream is(getDKEKPath());
+std::string FileSystem::getDBDEKPath() const {
+ std::stringstream ss;
+ ss << CKM_DATA_PATH << CKM_DB_KEY_PREFIX << m_uid;
+ return ss.str();
+}
+
+RawBuffer FileSystem::loadFile(const std::string &path) const {
+ std::ifstream is(path);
+
+ if (is.fail())
+ return RawBuffer();
+
std::istreambuf_iterator<char> begin(is),end;
std::vector<char> buff(begin,end); // This trick does not work with boost vector
return buffer;
}
-bool FileSystem::saveDomainKEK(const RawBuffer &buffer) const
+RawBuffer FileSystem::getDKEK() const
+{
+ return loadFile(getDKEKPath());
+}
+
+RawBuffer FileSystem::getDBDEK() const
{
- std::ofstream os(getDKEKPath(), std::ios::out | std::ofstream::binary);
+ return loadFile(getDBDEKPath());
+}
+
+bool FileSystem::saveFile(const std::string &path, const RawBuffer &buffer) const {
+ std::ofstream os(path, std::ios::out | std::ofstream::binary);
std::copy(buffer.begin(), buffer.end(), std::ostreambuf_iterator<char>(os));
return !os.fail();
}
+bool FileSystem::saveDKEK(const RawBuffer &buffer) const {
+ return saveFile(getDKEKPath(), buffer);
+}
+
+bool FileSystem::saveDBDEK(const RawBuffer &buffer) const {
+ return saveFile(getDBDEKPath(), buffer);
+}
+
int FileSystem::init() {
errno = 0;
if ((mkdir(CKM_DATA_PATH.c_str(), 0700)) && (errno != EEXIST)) {
int FileSystem::removeUserData() const {
int err, retCode = 0;
+
if (unlink(getDBPath().c_str())) {
retCode = -1;
err = errno;
LogError("Error in unlink user database: " << getDBPath()
<< "Errno: " << errno << " " << strerror(err));
}
+
if (unlink(getDKEKPath().c_str())) {
retCode = -1;
err = errno;
LogError("Error in unlink user DKEK: " << getDKEKPath()
<< "Errno: " << errno << " " << strerror(err));
}
+
+ if (unlink(getDBDEKPath().c_str())) {
+ retCode = -1;
+ err = errno;
+ LogError("Error in unlink user DBDEK: " << getDBDEKPath()
+ << "Errno: " << errno << " " << strerror(err));
+ }
+
return retCode;
}
FileSystem(uid_t uid);
std::string getDBPath() const;
- RawBuffer getDomainKEK() const;
- bool saveDomainKEK(const RawBuffer &buffer) const;
+
+ // Domain Key Encryption Key
+ RawBuffer getDKEK() const;
+ bool saveDKEK(const RawBuffer &buffer) const;
+
+ // Database Data Encryption Key
+ RawBuffer getDBDEK() const;
+ bool saveDBDEK(const RawBuffer &buffer) const;
+
int removeUserData() const;
static int init();
virtual ~FileSystem(){}
protected:
std::string getDKEKPath() const;
+ std::string getDBDEKPath() const;
+ RawBuffer loadFile(const std::string &path) const;
+ bool saveFile(const std::string &path, const RawBuffer &buffer) const;
uid_t m_uid;
};