From ed0f67e5e8b7c89765a364a60b5e844f5ffd1245 Mon Sep 17 00:00:00 2001 From: Bartlomiej Grzelewski Date: Fri, 12 Jun 2015 15:32:28 +0200 Subject: [PATCH] Use new exception types in KeyProvider class. This commit also removed exception throw in object destructor. Change-Id: I55f58bd5e63261632404557f60caa7f0af393714 --- src/manager/service/ckm-logic.cpp | 33 ++----------------- src/manager/service/key-provider.cpp | 62 ++++++++++++++++-------------------- src/manager/service/key-provider.h | 17 ---------- tests/main.cpp | 12 ++++--- tests/test-key-provider.cpp | 5 +-- 5 files changed, 40 insertions(+), 89 deletions(-) diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index a2c3e45..7ec4213 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -162,12 +162,6 @@ int CKMLogic::unlockDatabase(uid_t user, const Password & password) handle.database.deleteKey(appSmackLabel); } } - } catch (const KeyProvider::Exception::PassWordError &e) { - LogError("Incorrect Password " << e.GetMessage()); - retCode = CKM_API_ERROR_AUTHENTICATION_FAILED; - } catch (const KeyProvider::Exception::Base &e) { - LogError("Error in KeyProvider " << e.GetMessage()); - retCode = CKM_API_ERROR_SERVER_ERROR; } catch (const Exc::Exception &e) { retCode = e.error(); } catch (const CKM::Exception &e) { @@ -283,12 +277,6 @@ RawBuffer CKMLogic::changeUserPassword( try { retCode = changeUserPasswordHelper(user, oldPassword, newPassword); - } catch (const KeyProvider::Exception::PassWordError &e) { - LogError("Incorrect Password " << e.GetMessage()); - retCode = CKM_API_ERROR_AUTHENTICATION_FAILED; - } catch (const KeyProvider::Exception::Base &e) { - LogError("Error in KeyProvider " << e.GetMessage()); - retCode = CKM_API_ERROR_SERVER_ERROR; } catch (const Exc::Exception &e) { retCode = e.error(); } catch (const CKM::Exception &e) { @@ -500,9 +488,6 @@ int CKMLogic::verifyAndSaveDataHelper( { retCode = saveDataHelper(cred, name, label, dataType, binaryData, policy); } - } catch (const KeyProvider::Exception::Base &e) { - LogError("KeyProvider failed with message: " << e.GetMessage()); - retCode = CKM_API_ERROR_SERVER_ERROR; } catch (const DB::Crypto::Exception::InternalError &e) { LogError("DB::Crypto failed with message: " << e.GetMessage()); retCode = CKM_API_ERROR_DB_ERROR; @@ -592,9 +577,8 @@ RawBuffer CKMLogic::savePKCS12( int retCode = CKM_API_ERROR_UNKNOWN; try { retCode = saveDataHelper(cred, name, label, pkcs, keyPolicy, certPolicy); - } catch (const KeyProvider::Exception::Base &e) { - LogError("KeyProvider failed with message: " << e.GetMessage()); - retCode = CKM_API_ERROR_SERVER_ERROR; + } catch (const Exc::Exception &e) { + retCode = e.error(); } catch (const DB::Crypto::Exception::InternalError &e) { LogError("DB::Crypto failed with message: " << e.GetMessage()); retCode = CKM_API_ERROR_DB_ERROR; @@ -876,9 +860,6 @@ RawBuffer CKMLogic::getData( try { retCode = readDataHelper(true, cred, dataType, name, label, password, row); - } catch (const KeyProvider::Exception::Base &e) { - LogError("KeyProvider failed with error: " << e.GetMessage()); - retCode = CKM_API_ERROR_SERVER_ERROR; } catch (const DB::Crypto::Exception::Base &e) { LogError("DB::Crypto failed with message: " << e.GetMessage()); retCode = CKM_API_ERROR_DB_ERROR; @@ -964,10 +945,6 @@ RawBuffer CKMLogic::getPKCS12( // prepare response if(retCode == CKM_API_SUCCESS) output = PKCS12Serializable(privKey, cert, caChain); - - } catch (const KeyProvider::Exception::Base &e) { - LogError("KeyProvider failed with error: " << e.GetMessage()); - retCode = CKM_API_ERROR_SERVER_ERROR; } catch (const DB::Crypto::Exception::Base &e) { LogError("DB::Crypto failed with message: " << e.GetMessage()); retCode = CKM_API_ERROR_DB_ERROR; @@ -1470,9 +1447,6 @@ RawBuffer CKMLogic::createSignature( if(retCode == CKM_API_SUCCESS) { signature = m_decider.getStore(row).getKey(row)->sign(cryptoAlg, message); } - } catch (const KeyProvider::Exception::Base &e) { - LogError("KeyProvider failed with message: " << e.GetMessage()); - retCode = CKM_API_ERROR_SERVER_ERROR; } catch (const DB::Crypto::Exception::Base &e) { LogError("DB::Crypto failed with message: " << e.GetMessage()); retCode = CKM_API_ERROR_DB_ERROR; @@ -1523,9 +1497,6 @@ RawBuffer CKMLogic::verifySignature( } } catch (const Exc::Exception &e) { retCode = e.error(); - } catch (const KeyProvider::Exception::Base &e) { - LogError("KeyProvider failed with error: " << e.GetMessage()); - retCode = CKM_API_ERROR_SERVER_ERROR; } catch (const DB::Crypto::Exception::Base &e) { LogError("DB::Crypto failed with message: " << e.GetMessage()); retCode = CKM_API_ERROR_DB_ERROR; diff --git a/src/manager/service/key-provider.cpp b/src/manager/service/key-provider.cpp index 48db9c0..23ca201 100644 --- a/src/manager/service/key-provider.cpp +++ b/src/manager/service/key-provider.cpp @@ -1,3 +1,4 @@ +#include #include #include @@ -100,14 +101,11 @@ KeyAndInfoContainer::~KeyAndInfoContainer() { // overwrite key char *ptr = reinterpret_cast(keyAndInfo); - for (size_t size = 0; size < sizeof(KeyAndInfo); ++size) - ptr[size] = 0; + memset(ptr, 0, sizeof(KeyAndInfo)); // verification for (size_t size = 0; size < sizeof(KeyAndInfo); ++size) { - if (0 != ptr[size]) { - delete keyAndInfo; - ThrowMsg(Exception::Base, "KeyAndInfo in KeyAndInfoContainer " - "was not destroyed!"); + if (ptr[size]) { + LogError("Write momory error! Memory used by key was not owerwritten."); } } delete keyAndInfo; @@ -127,12 +125,12 @@ KeyProvider::KeyProvider( , m_isInitialized(true) { if (!m_isInitialized) { - ThrowMsg(Exception::InitFailed, "Object not initialized!. Should not happened"); + ThrowErr(Exc::InternalError, "Object not initialized!. Should not happened"); } if (domainKEKInWrapForm.size() != sizeof(WrappedKeyAndInfo)) { LogError("input size:" << domainKEKInWrapForm.size() << " Expected: " << sizeof(WrappedKeyAndInfo)); - ThrowMsg(Exception::InputParamError, "buffer doesn't have proper size to store WrappedKeyAndInfo in KeyProvider Constructor"); + ThrowErr(Exc::InternalError, "buffer doesn't have proper size to store WrappedKeyAndInfo in KeyProvider Constructor"); } WrappedKeyAndInfoContainer wkmcDKEK = WrappedKeyAndInfoContainer(domainKEKInWrapForm.data()); @@ -154,7 +152,7 @@ KeyProvider::KeyProvider( PKEK1)) { delete[] concat_user_pass; - ThrowMsg(Exception::OpensslEngineError, "OPENSSL_ENGINE_ERROR"); + ThrowErr(Exc::InternalError, "OPENSSL_ENGINE_ERROR"); } delete[] concat_user_pass; @@ -169,7 +167,7 @@ KeyProvider::KeyProvider( wkmcDKEK.getWrappedKeyAndInfo().keyInfo.iv, m_kmcDKEK->getKeyAndInfo().key))) { - ThrowMsg(Exception::PassWordError, "VerifyDomainKEK failed in KeyProvider Constructor"); + ThrowErr(Exc::AuthenticationFailed, "VerifyDomainKEK failed in KeyProvider Constructor"); } m_kmcDKEK->setKeyInfo(&(wkmcDKEK.getWrappedKeyAndInfo().keyInfo)); @@ -205,7 +203,7 @@ bool KeyProvider::isInitialized() RawBuffer KeyProvider::getPureDomainKEK() { if (!m_isInitialized) { - ThrowMsg(Exception::InitFailed, "Object not initialized!"); + ThrowErr(Exc::InternalError, "Object not initialized!"); } // TODO secure @@ -215,7 +213,7 @@ RawBuffer KeyProvider::getPureDomainKEK() RawBuffer KeyProvider::getWrappedDomainKEK(const Password &password) { if (!m_isInitialized) { - ThrowMsg(Exception::InitFailed, "Object not initialized!"); + ThrowErr(Exc::InternalError, "Object not initialized!"); } WrappedKeyAndInfoContainer wkmcDKEK = WrappedKeyAndInfoContainer(); @@ -237,7 +235,7 @@ RawBuffer KeyProvider::getWrappedDomainKEK(const Password &password) PKEK1)) { delete[] concat_user_pass; - ThrowMsg(Exception::OpensslEngineError, "OPENSSL_ENGINE_ERROR"); + ThrowErr(Exc::InternalError, "OPENSSL_ENGINE_ERROR"); } delete[] concat_user_pass; @@ -254,7 +252,7 @@ RawBuffer KeyProvider::getWrappedDomainKEK(const Password &password) wkmcDKEK.getWrappedKeyAndInfo().wrappedKey, wkmcDKEK.getWrappedKeyAndInfo().keyInfo.tag))) { - ThrowMsg(Exception::InitFailed, "WrapDKEK Failed in KeyProvider::getDomainKEK"); + ThrowErr(Exc::InternalError, "WrapDKEK Failed in KeyProvider::getDomainKEK"); } wkmcDKEK.setKeyInfoKeyLength((unsigned int)wrappedKeyLength); @@ -267,13 +265,13 @@ RawBuffer KeyProvider::getWrappedDomainKEK(const Password &password) RawBuffer KeyProvider::getPureDEK(const RawBuffer &DEKInWrapForm) { if (!m_isInitialized) { - ThrowMsg(Exception::InitFailed, "Object not initialized!"); + ThrowErr(Exc::InternalError, "Object not initialized!"); } if (DEKInWrapForm.size() != sizeof(WrappedKeyAndInfo)){ LogError("input size:" << DEKInWrapForm.size() << " Expected: " << sizeof(WrappedKeyAndInfo)); - ThrowMsg(Exception::InputParamError, + ThrowErr(Exc::InternalError, "buffer doesn't have proper size to store " "WrappedKeyAndInfo in KeyProvider::getPureDEK"); } @@ -293,7 +291,7 @@ RawBuffer KeyProvider::getPureDEK(const RawBuffer &DEKInWrapForm) MAX_KEY_SIZE, PKEK2)) { - ThrowMsg(Exception::OpensslEngineError, "OPENSSL_ENGINE_ERROR"); + ThrowErr(Exc::InternalError, "OPENSSL_ENGINE_ERROR"); } if (0 > (keyLength = decryptAes256Gcm( @@ -304,7 +302,7 @@ RawBuffer KeyProvider::getPureDEK(const RawBuffer &DEKInWrapForm) wkmcDEK.getWrappedKeyAndInfo().keyInfo.iv, kmcDEK.getKeyAndInfo().key))) { - ThrowMsg(Exception::UnwrapFailed, + ThrowErr(Exc::InternalError, "UnwrapDEK Failed in KeyProvider::getPureDEK"); } @@ -319,8 +317,7 @@ RawBuffer KeyProvider::getPureDEK(const RawBuffer &DEKInWrapForm) RawBuffer KeyProvider::generateDEK(const std::string &smackLabel) { if (!m_isInitialized) { - ThrowMsg(Exception::InitFailed, - "Object not initialized!"); + ThrowErr(Exc::InternalError, "Object not initialized!"); } WrappedKeyAndInfoContainer wkmcDEK = WrappedKeyAndInfoContainer(); @@ -336,7 +333,7 @@ RawBuffer KeyProvider::generateDEK(const std::string &smackLabel) if (!RAND_bytes(key, m_kmcDKEK->getKeyAndInfo().keyInfo.keyLength) || !RAND_bytes(wkmcDEK.getWrappedKeyAndInfo().keyInfo.iv, MAX_IV_SIZE)) { - ThrowMsg(Exception::OpensslEngineError, "OPENSSL_ENGINE_ERROR"); + ThrowErr(Exc::InternalError, "OPENSSL_ENGINE_ERROR"); } if (!PKCS5_PBKDF2_HMAC_SHA1( @@ -348,7 +345,7 @@ RawBuffer KeyProvider::generateDEK(const std::string &smackLabel) MAX_KEY_SIZE, PKEK2)) { - ThrowMsg(Exception::OpensslEngineError, "OPENSSL_ENGINE_ERROR"); + ThrowErr(Exc::InternalError, "OPENSSL_ENGINE_ERROR"); } int wrappedKeyLength; @@ -361,8 +358,7 @@ RawBuffer KeyProvider::generateDEK(const std::string &smackLabel) wkmcDEK.getWrappedKeyAndInfo().wrappedKey, wkmcDEK.getWrappedKeyAndInfo().keyInfo.tag))) { - ThrowMsg(Exception::GenFailed, - "GenerateDEK Failed in KeyProvider::generateDEK"); + ThrowErr(Exc::InternalError, "GenerateDEK Failed in KeyProvider::generateDEK"); } wkmcDEK.setKeyInfoKeyLength((unsigned int)wrappedKeyLength); @@ -381,7 +377,7 @@ RawBuffer KeyProvider::reencrypt( if (domainKEKInWrapForm.size() != sizeof(WrappedKeyAndInfo)) { LogError("input size:" << domainKEKInWrapForm.size() << " Expected: " << sizeof(WrappedKeyAndInfo)); - ThrowMsg(Exception::InputParamError, + ThrowErr(Exc::InternalError, "buffer doesn't have proper size to store " "WrappedKeyAndInfo in KeyProvider::reencrypt"); } @@ -409,7 +405,7 @@ RawBuffer KeyProvider::reencrypt( PKEK1)) { delete[] concat_user_pass; - ThrowMsg(Exception::OpensslEngineError, "OPENSSL_ENGINE_ERROR"); + ThrowErr(Exc::InternalError, "OPENSSL_ENGINE_ERROR"); } delete[] concat_user_pass; @@ -421,8 +417,7 @@ RawBuffer KeyProvider::reencrypt( wkmcOldDKEK.getWrappedKeyAndInfo().keyInfo.iv, kmcDKEK.getKeyAndInfo().key))) { - ThrowMsg(Exception::PassWordError, - "Incorrect Old Password "); + ThrowErr(Exc::AuthenticationFailed, "Incorrect Old Password "); } kmcDKEK.setKeyInfo(&(wkmcOldDKEK.getWrappedKeyAndInfo().keyInfo)); @@ -442,7 +437,7 @@ RawBuffer KeyProvider::reencrypt( PKEK1)) { delete[] concat_user_pass; - ThrowMsg(Exception::OpensslEngineError, "OPENSSL_ENGINE_ERROR"); + ThrowErr(Exc::InternalError, "OPENSSL_ENGINE_ERROR"); } delete[] concat_user_pass; @@ -458,8 +453,7 @@ RawBuffer KeyProvider::reencrypt( wkmcNewDKEK.getWrappedKeyAndInfo().wrappedKey, wkmcNewDKEK.getWrappedKeyAndInfo().keyInfo.tag))) { - ThrowMsg(Exception::UnwrapFailed, - "UpdateDomainKEK in KeyProvider::reencrypt Failed"); + ThrowErr(Exc::InternalError, "UpdateDomainKEK in KeyProvider::reencrypt Failed"); } wkmcNewDKEK.setKeyInfoKeyLength((unsigned int)wrappedKeyLength); @@ -479,7 +473,7 @@ RawBuffer KeyProvider::generateDomainKEK( if (!RAND_bytes(wkmcDKEK.getWrappedKeyAndInfo().keyInfo.salt, MAX_SALT_SIZE) || !RAND_bytes(key, MAX_KEY_SIZE) || !RAND_bytes(wkmcDKEK.getWrappedKeyAndInfo().keyInfo.iv, MAX_IV_SIZE)) - ThrowMsg(Exception::OpensslEngineError, "OPENSSL_ENGINE_ERROR"); + ThrowErr(Exc::InternalError, "OPENSSL_ENGINE_ERROR"); int wrappedKeyLength; char *concat_user_pass = NULL; @@ -494,7 +488,7 @@ RawBuffer KeyProvider::generateDomainKEK( PKEK1)) { delete[] concat_user_pass; - ThrowMsg(Exception::OpensslEngineError, "OPENSSL_ENGINED_ERROR"); + ThrowErr(Exc::InternalError, "OPENSSL_ENGINED_ERROR"); } delete[] concat_user_pass; @@ -507,7 +501,7 @@ RawBuffer KeyProvider::generateDomainKEK( wkmcDKEK.getWrappedKeyAndInfo().wrappedKey, wkmcDKEK.getWrappedKeyAndInfo().keyInfo.tag))) { - ThrowMsg(Exception::GenFailed, + ThrowErr(Exc::InternalError, "GenerateDomainKEK Failed in KeyProvider::generateDomainKEK"); } diff --git a/src/manager/service/key-provider.h b/src/manager/service/key-provider.h index a386652..918a622 100644 --- a/src/manager/service/key-provider.h +++ b/src/manager/service/key-provider.h @@ -9,7 +9,6 @@ #include #include -#include #ifndef SUCCESS #define SUCCESS 0 @@ -82,10 +81,6 @@ private: class KeyAndInfoContainer{ public: - class Exception{ - public: - DECLARE_EXCEPTION_TYPE(CKM::Exception, Base) - }; KeyAndInfoContainer(); KeyAndInfoContainer(const unsigned char*); KeyAndInfo& getKeyAndInfo(); @@ -100,18 +95,6 @@ private: // This is internal api so all functions should throw exception on errors. class KeyProvider { public: - class Exception { - public: - DECLARE_EXCEPTION_TYPE(CKM::Exception, Base) - DECLARE_EXCEPTION_TYPE(Base, InitFailed) - DECLARE_EXCEPTION_TYPE(Base, GenFailed) - DECLARE_EXCEPTION_TYPE(Base, WrapFailed) - DECLARE_EXCEPTION_TYPE(Base, UnwrapFailed) - DECLARE_EXCEPTION_TYPE(Base, PassWordError) - DECLARE_EXCEPTION_TYPE(Base, InputParamError) - DECLARE_EXCEPTION_TYPE(Base, OpensslEngineError) - }; - // To store in std containers KeyProvider(); // In constructor you must check if SKMM is initialized. On error -> exception diff --git a/tests/main.cpp b/tests/main.cpp index 0a47fd8..efaf1be 100644 --- a/tests/main.cpp +++ b/tests/main.cpp @@ -28,6 +28,8 @@ #include #include +#include + struct TestConfig { TestConfig() { boost::unit_test::unit_test_log.set_threshold_level( boost::unit_test::log_test_units); @@ -42,17 +44,17 @@ bool isLibInitialized = false; struct KeyProviderLib { KeyProviderLib() { - Try { + try { CKM::KeyProvider::initializeLibrary(); isLibInitialized = true; - } - Catch (CKM::Exception) { + } catch (const CKM::Exc::Exception &) { std::cout << "Library initialization failed!" << std::endl; } } ~KeyProviderLib() { - Try { CKM::KeyProvider::closeLibrary(); } - Catch (CKM::Exception) { + try { + CKM::KeyProvider::closeLibrary(); + } catch (const CKM::Exc::Exception &) { std::cout << "Library deinitialization failed!" << std::endl; } } diff --git a/tests/test-key-provider.cpp b/tests/test-key-provider.cpp index 433e8ec..92f7e07 100644 --- a/tests/test-key-provider.cpp +++ b/tests/test-key-provider.cpp @@ -1,5 +1,6 @@ #define BOOST_TEST_MODULE KEY_MANAGER_TEST #include +#include #include #include #include @@ -36,7 +37,7 @@ BOOST_AUTO_TEST_CASE(KeyDomainKekInvalidPassword){ BOOST_REQUIRE_NO_THROW(rb_test = CKM::KeyProvider::generateDomainKEK(USERNAME_LONG, PASSWORD)); BOOST_REQUIRE_THROW(keyProvider = CKM::KeyProvider(rb_test, INCORRECT_PASSWORD), - CKM::KeyProvider::Exception::PassWordError); + CKM::Exc::AuthenticationFailed); BOOST_REQUIRE_MESSAGE(!keyProvider.isInitialized(), "KeyProvider not created, but initialized"); } @@ -114,7 +115,7 @@ BOOST_AUTO_TEST_CASE(KeyReencrypt_incorrect_password){ BOOST_REQUIRE_NO_THROW(rb_test = CKM::KeyProvider::generateDomainKEK(USERNAME_LONG, PASSWORD)); BOOST_REQUIRE_THROW((rb_test = CKM::KeyProvider::reencrypt(rb_test, INCORRECT_PASSWORD, - NEW_PASSWORD)), CKM::KeyProvider::Exception::PassWordError); + NEW_PASSWORD)), CKM::Exc::AuthenticationFailed); } BOOST_AUTO_TEST_CASE(KeyGetPureDEK_after_reencrypt){ -- 2.7.4