From: Kyungwook Tak Date: Mon, 7 Sep 2015 11:31:26 +0000 (+0900) Subject: Old privileges restored X-Git-Tag: accepted/tizen/mobile/20150908.231847~1 X-Git-Url: http://review.tizen.org/git/?p=platform%2Fcore%2Fsecurity%2Fkey-manager.git;a=commitdiff_plain;h=42a14dd9afaec7949cf4dec5d7be261a43b1e0a3 Old privileges restored Change-Id: I62335aa31fa14bf2712a72605c97ad5e9fed8a09 Signed-off-by: Kyungwook Tak --- diff --git a/src/manager/service/ckm-service.cpp b/src/manager/service/ckm-service.cpp index 132e6a8..0bc83a1 100644 --- a/src/manager/service/ckm-service.cpp +++ b/src/manager/service/ckm-service.cpp @@ -31,6 +31,15 @@ namespace { const CKM::InterfaceID SOCKET_ID_CONTROL = 0; const CKM::InterfaceID SOCKET_ID_STORAGE = 1; + +template +CKM::RawBuffer disallowed(int command, int msgID, Args&&... args) { + LogError("Disallowed command: " << command); + return CKM::MessageBuffer::Serialize(command, + msgID, + CKM_API_ERROR_ACCESS_DENIED, + std::move(args)...).Pop(); +} } // namespace anonymous namespace CKM { @@ -65,12 +74,10 @@ void CKMService::SetCommManager(CommMgr *manager) Register(*manager); } -// CKMService does not support security check -// so 3rd parameter is not used bool CKMService::ProcessOne( const ConnectionID &conn, ConnectionInfo &info, - bool /*allowed*/) + bool allowed) { LogDebug ("process One"); RawBuffer response; @@ -82,7 +89,7 @@ bool CKMService::ProcessOne( if (info.interfaceID == SOCKET_ID_CONTROL) response = ProcessControl(info.buffer); else - response = ProcessStorage(info.credentials, info.buffer); + response = ProcessStorage(info.credentials, info.buffer, allowed); m_serviceManager->Write(conn, response); @@ -163,7 +170,7 @@ RawBuffer CKMService::ProcessControl(MessageBuffer &buffer) { } } -RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) +RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer, bool allowed) { int command = 0; int msgID = 0; @@ -191,6 +198,10 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) RawBuffer rawData; PolicySerializable policy; buffer.Deserialize(tmpDataType, name, label, rawData, policy); + + if (!allowed) + return disallowed(command, msgID, static_cast(DataType(tmpDataType))); + return m_logic->saveData( cred, msgID, @@ -206,6 +217,10 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) PKCS12Serializable pkcs; PolicySerializable keyPolicy, certPolicy; buffer.Deserialize(name, label, pkcs, keyPolicy, certPolicy); + + if (!allowed) + return disallowed(command, msgID); + return m_logic->savePKCS12( cred, msgID, @@ -218,6 +233,10 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) case LogicCommand::REMOVE: { buffer.Deserialize(name, label); + + if (!allowed) + return disallowed(command, msgID); + return m_logic->removeData( cred, msgID, @@ -228,6 +247,13 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) { Password password; buffer.Deserialize(tmpDataType, name, label, password); + + if (!allowed) + return disallowed(command, + msgID, + static_cast(DataType(tmpDataType)), + RawBuffer()); + return m_logic->getData( cred, msgID, @@ -244,6 +270,10 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) label, passKey, passCert); + + if (!allowed) + return disallowed(command, msgID, PKCS12Serializable()); + return m_logic->getPKCS12( cred, msgID, @@ -255,6 +285,13 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) case LogicCommand::GET_LIST: { buffer.Deserialize(tmpDataType); + + if (!allowed) + return disallowed(command, + msgID, + static_cast(DataType(tmpDataType)), + LabelNameVector()); + return m_logic->getDataList( cred, msgID, @@ -270,6 +307,10 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) policyKey, keyName, keyLabel); + + if (!allowed) + return disallowed(command, msgID); + return m_logic->createKeyAES( cred, msgID, @@ -294,6 +335,10 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) privateKeyLabel, publicKeyName, publicKeyLabel); + + if (!allowed) + return disallowed(command, msgID); + return m_logic->createKeyPair( cred, msgID, @@ -312,6 +357,10 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) RawBufferVector trustedVector; bool systemCerts = false; buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts); + + if (!allowed) + return disallowed(command, msgID, RawBufferVector()); + return m_logic->getCertificateChain( cred, msgID, @@ -327,6 +376,10 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) LabelNameVector trustedVector; bool systemCerts = false; buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts); + + if (!allowed) + return disallowed(command, msgID, LabelNameVector()); + return m_logic->getCertificateChain( cred, msgID, @@ -341,6 +394,10 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) RawBuffer message; int padding = 0, hash = 0; buffer.Deserialize(name, label, password, message, hash, padding); + + if (!allowed) + return disallowed(command, msgID, RawBuffer()); + return m_logic->createSignature( cred, msgID, @@ -366,6 +423,10 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) signature, hash, padding); + + if (!allowed) + return disallowed(command, msgID); + return m_logic->verifySignature( cred, msgID, @@ -381,6 +442,10 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) { PermissionMask permissionMask = 0; buffer.Deserialize(name, label, accessorLabel, permissionMask); + + if (!allowed) + return disallowed(command, msgID); + return m_logic->setPermission( cred, command, @@ -412,16 +477,5 @@ void CKMService::ProcessMessage(MsgKeyRequest msg) } } -void CKMService::CustomHandle(const ReadEvent &event) { - LogDebug("Read event"); - auto &info = m_connectionInfoMap[event.connectionID.counter]; - info.buffer.Push(event.rawBuffer); - while(ProcessOne(event.connectionID, info, true)); -} - -void CKMService::CustomHandle(const SecurityEvent & /*event*/) { - LogError("This should not happend! SecurityEvent was called on CKMService!"); -} - } // namespace CKM diff --git a/src/manager/service/ckm-service.h b/src/manager/service/ckm-service.h index 5b6221e..5a96f23 100644 --- a/src/manager/service/ckm-service.h +++ b/src/manager/service/ckm-service.h @@ -39,16 +39,6 @@ public: CKMService& operator=(const CKMService &) = delete; CKMService& operator=(CKMService &&) = delete; - // Custom add custom support for ReadEvent and SecurityEvent - // because we want to bypass security check in CKMService - virtual void Event(const ReadEvent &event) { - CreateEvent([this, event]() { this->CustomHandle(event); }); - } - - virtual void Event(const SecurityEvent &event) { - CreateEvent([this, event]() { this->CustomHandle(event); }); - } - virtual void Start(void); virtual void Stop(void); @@ -56,11 +46,6 @@ public: ServiceDescriptionVector GetServiceDescription(); -protected: - // CustomHandle is used to bypass security check - void CustomHandle(const ReadEvent &event); - void CustomHandle(const SecurityEvent &event); - private: virtual void SetCommManager(CommMgr *manager); @@ -80,7 +65,8 @@ private: RawBuffer ProcessStorage( Credentials &cred, - MessageBuffer &buffer); + MessageBuffer &buffer, + bool allowed); virtual void ProcessMessage(MsgKeyRequest msg); diff --git a/src/manager/service/ocsp-service.cpp b/src/manager/service/ocsp-service.cpp index e65114d..33111d5 100644 --- a/src/manager/service/ocsp-service.cpp +++ b/src/manager/service/ocsp-service.cpp @@ -53,7 +53,7 @@ void OCSPService::Stop() { GenericSocketService::ServiceDescriptionVector OCSPService::GetServiceDescription() { return ServiceDescriptionVector { - {SERVICE_SOCKET_OCSP, "http://tizen.org/privilege/internet", SOCKET_ID_OCSP} + {SERVICE_SOCKET_OCSP, "http://tizen.org/privilege/keymanager", SOCKET_ID_OCSP} }; }