summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjk7744.park <jk7744.park@samsung.com>2015-10-24 17:01:25 +0900
committerjk7744.park <jk7744.park@samsung.com>2015-10-24 17:01:25 +0900
commitdf7e770370347fe99319c4adb9ec051826e5644b (patch)
tree69f3ccbb7b2e78b8d48fc74d3798016d14b7e531
parentcb8b5678a4a3e67e7c23164a7eb14df191ab968b (diff)
downloadkey-manager-df7e770370347fe99319c4adb9ec051826e5644b.tar.gz
key-manager-df7e770370347fe99319c4adb9ec051826e5644b.tar.bz2
key-manager-df7e770370347fe99319c4adb9ec051826e5644b.zip
-rw-r--r--CMakeLists.txt20
-rw-r--r--build/key-manager.pc.in2
-rw-r--r--data/scripts/migrate_1.sql1
-rw-r--r--data/scripts/migrate_2.sql2
-rwxr-xr-xdoc/images/capi_key_manager_overview_diagram.png (renamed from doc/mobile/images/capi_key_manager_overview_diagram.png)bin20153 -> 20153 bytes
-rw-r--r--doc/key-manager-client_doc.h (renamed from doc/mobile/key-manager-client_doc.h)0
-rw-r--r--doc/key-manager-control_doc.h (renamed from doc/wearable/key-manager-control_doc.h)1
-rw-r--r--doc/key-manager-types_doc.h (renamed from doc/mobile/key-manager-types_doc.h)0
-rw-r--r--doc/key-manager_doc.h (renamed from doc/mobile/key-manager_doc.h)4
-rw-r--r--doc/mobile/key-manager-control_doc.h32
-rwxr-xr-xdoc/wearable/images/capi_key_manager_overview_diagram.pngbin20153 -> 0 bytes
-rw-r--r--doc/wearable/key-manager-client_doc.h31
-rw-r--r--doc/wearable/key-manager-types_doc.h32
-rw-r--r--doc/wearable/key-manager_doc.h84
-rw-r--r--packaging/key-manager-listener.manifest13
-rw-r--r--packaging/key-manager.manifest14
-rw-r--r--packaging/key-manager.spec108
-rw-r--r--src/CMakeLists.txt30
-rw-r--r--src/include/ckm/ckm-client-info.h58
-rw-r--r--src/include/ckm/ckm-control.h15
-rw-r--r--src/include/ckm/ckm-error.h3
-rw-r--r--src/include/ckm/ckm-type.h1
-rw-r--r--src/include/ckmc/ckmc-control.h60
-rw-r--r--src/include/ckmc/ckmc-error.h3
-rw-r--r--src/include/ckmc/ckmc-manager.h445
-rw-r--r--src/include/ckmc/ckmc-type.h405
-rw-r--r--src/listener/CMakeLists.txt33
-rw-r--r--src/listener/listener-daemon.cpp117
-rw-r--r--src/manager/CMakeLists.txt16
-rw-r--r--src/manager/client-capi/ckmc-control.cpp55
-rw-r--r--src/manager/client-capi/ckmc-manager.cpp200
-rw-r--r--src/manager/client-capi/ckmc-type-converter.cpp24
-rw-r--r--src/manager/client-capi/ckmc-type-converter.h1
-rw-r--r--src/manager/client-capi/ckmc-type.cpp63
-rw-r--r--src/manager/client/client-control.cpp48
-rw-r--r--src/manager/client/client-manager-impl.cpp19
-rw-r--r--src/manager/client/client-manager-impl.h12
-rw-r--r--src/manager/common/client-info-impl.cpp65
-rw-r--r--src/manager/common/key-impl.cpp12
-rw-r--r--src/manager/common/key-impl.h1
-rw-r--r--src/manager/common/protocols.cpp84
-rw-r--r--src/manager/common/protocols.h6
-rw-r--r--src/manager/dpl/core/include/dpl/serialization.h5
-rw-r--r--src/manager/dpl/core/src/exception.cpp11
-rw-r--r--src/manager/dpl/db/src/sql_connection.cpp6
-rw-r--r--src/manager/dpl/log/src/log.cpp22
-rw-r--r--src/manager/listener/listener-thread.cpp159
-rw-r--r--src/manager/listener/listener-thread.h (renamed from src/manager/main/smack-check.h)43
-rw-r--r--src/manager/main/generic-socket-manager.h2
-rw-r--r--src/manager/main/key-manager-main.cpp9
-rw-r--r--src/manager/main/smack-check.cpp34
-rw-r--r--src/manager/main/socket-manager.cpp130
-rw-r--r--src/manager/main/socket-manager.h7
-rw-r--r--src/manager/service/CryptoService.cpp236
-rw-r--r--src/manager/service/CryptoService.h3
-rw-r--r--src/manager/service/access-control.cpp14
-rw-r--r--src/manager/service/certificate-store.cpp2
-rw-r--r--src/manager/service/ckm-logic.cpp230
-rw-r--r--src/manager/service/ckm-logic.h17
-rw-r--r--src/manager/service/ckm-service.cpp40
-rw-r--r--src/manager/service/crypto-logic.cpp5
-rw-r--r--src/manager/service/crypto-logic.h1
-rw-r--r--src/manager/service/db-crypto.cpp69
-rw-r--r--src/manager/service/digest.cpp5
-rw-r--r--src/manager/service/file-lock.cpp12
-rw-r--r--src/manager/service/file-system.cpp96
-rw-r--r--src/manager/service/file-system.h11
-rw-r--r--src/manager/service/key-provider.cpp158
-rw-r--r--src/manager/service/key-provider.h10
-rw-r--r--src/manager/service/ocsp-logic.cpp74
-rw-r--r--src/manager/service/ocsp-logic.h6
-rw-r--r--src/manager/service/ocsp.cpp25
-rw-r--r--src/manager/sqlcipher/sqlcipher.c101
-rw-r--r--src/plugin/password-plugin.cpp90
-rw-r--r--systemd/CMakeLists.txt2
-rw-r--r--systemd/central-key-manager-api-control.socket13
-rw-r--r--systemd/central-key-manager-api-ocsp.socket13
-rw-r--r--systemd/central-key-manager-api-storage.socket13
-rw-r--r--systemd/central-key-manager-listener.service11
-rw-r--r--systemd/central-key-manager.service.in5
-rw-r--r--systemd/central-key-manager.target4
-rw-r--r--tests/CMakeLists.txt36
-rw-r--r--tests/main_lcov.cpp63
-rw-r--r--tests/test_db_crypto.cpp1
-rw-r--r--tests/test_lcov_certificate-impl.cpp89
-rw-r--r--tests/test_lcov_ckmc-type-converter.cpp215
-rw-r--r--tests/test_lcov_client-error.cpp89
-rw-r--r--tests/test_lcov_key-impl.cpp43
-rw-r--r--tools/ckm_so_loader.cpp19
89 files changed, 2864 insertions, 1505 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b968db6..c2c1511 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -58,15 +58,15 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG")
ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
-IF (PROFILE_TARGET MATCHES "WEARABLE")
- MESSAGE("PROFILE_TARGET_WEARABLE DEFINED")
- ADD_DEFINITIONS("-DPROFILE_TARGET_WEARABLE")
-ENDIF (PROFILE_TARGET MATCHES "WEARABLE")
+IF (DEFINED PASSWORD_PROTECTION_DISABLE)
+ MESSAGE("PASSWORD_PROTECTION_DISABLE ENABLED !")
+ ADD_DEFINITIONS("-DPASSWORD_PROTECTION_DISABLE")
+ENDIF (DEFINED PASSWORD_PROTECTION_DISABLE)
-IF (FORM_FACTOR MATCHES "CIRCLE")
- MESSAGE("FORM_FACTOR_CIRCLE DEFINED")
- ADD_DEFINITIONS("-DFORM_FACTOR_CIRCLE")
-ENDIF (FORM_FACTOR MATCHES "CIRCLE")
+IF (DEFINED DB_PER_ZONE_ENABLE)
+ MESSAGE("DB_PER_ZONE ENABLED !")
+ ADD_DEFINITIONS("-DDB_PER_ZONE_ENABLE")
+ENDIF (DEFINED DB_PER_ZONE_ENABLE)
IF (DEFINED SYSTEMD_ENV_FILE)
ADD_DEFINITIONS(-DSYSTEMD_ENV_FILE="${SYSTEMD_ENV_FILE}")
@@ -80,6 +80,7 @@ SET(TARGET_LISTENER "key-manager-listener")
SET(TARGET_PASSWORD_PLUGIN "security-server-plugin")
SET(TARGET_TEST_MERGED "ckm-tests-internal")
+SET(TARGET_TEST_LCOV "ckm-tests-lcov-internal")
INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/230.key-manager-migrate-dkek.patch.sh
DESTINATION /etc/opt/upgrade
@@ -90,5 +91,8 @@ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/230.key-manager-migrate-d
ADD_SUBDIRECTORY(src)
ADD_SUBDIRECTORY(build)
ADD_SUBDIRECTORY(systemd)
+
+IF (DEFINED CKM_BUILD_INTERNAL_TEST)
ADD_SUBDIRECTORY(tests)
ADD_SUBDIRECTORY(tools)
+ENDIF (DEFINED CKM_BUILD_INTERNAL_TEST)
diff --git a/build/key-manager.pc.in b/build/key-manager.pc.in
index 4867073..e3c8834 100644
--- a/build/key-manager.pc.in
+++ b/build/key-manager.pc.in
@@ -6,6 +6,6 @@ includedir=${prefix}/include
Name: key-manager
Description: Central Key Manager Package
Version: @VERSION@
-Requires: openssl libsmack
+Requires: openssl
Libs: -L${libdir} -lkey-manager-client -lkey-manager-common -lkey-manager-control-client
Cflags: -I${includedir}/ckm
diff --git a/data/scripts/migrate_1.sql b/data/scripts/migrate_1.sql
index 39e2d70..1ced1dd 100644
--- a/data/scripts/migrate_1.sql
+++ b/data/scripts/migrate_1.sql
@@ -24,6 +24,7 @@
-- isolate old data
ALTER TABLE PERMISSION_TABLE RENAME TO OLD_PERMISSION_TABLE;
DROP INDEX perm_index_idx;
+DROP INDEX ckm_index_label;
-- create new structure
diff --git a/data/scripts/migrate_2.sql b/data/scripts/migrate_2.sql
index 5c629fe..8bd2fd2 100644
--- a/data/scripts/migrate_2.sql
+++ b/data/scripts/migrate_2.sql
@@ -23,12 +23,14 @@
-- isolate old data
DROP INDEX perm_index_idx;
+DROP INDEX name_index_idx;
-- create new structure
CREATE TABLE SCHEMA_INFO(name TEXT PRIMARY KEY NOT NULL,
value TEXT);
ALTER TABLE NAME_TABLE RENAME TO NAMES;
+CREATE INDEX name_index_idx ON NAMES(idx);
-- need to create OBJECT table from scratch,
-- as SQLite does not support "ALTER COLUMN"
-- (REFERENCES NAME_TABLE --> NAMES)
diff --git a/doc/mobile/images/capi_key_manager_overview_diagram.png b/doc/images/capi_key_manager_overview_diagram.png
index 9453909..9453909 100755
--- a/doc/mobile/images/capi_key_manager_overview_diagram.png
+++ b/doc/images/capi_key_manager_overview_diagram.png
Binary files differ
diff --git a/doc/mobile/key-manager-client_doc.h b/doc/key-manager-client_doc.h
index 25d2084..25d2084 100644
--- a/doc/mobile/key-manager-client_doc.h
+++ b/doc/key-manager-client_doc.h
diff --git a/doc/wearable/key-manager-control_doc.h b/doc/key-manager-control_doc.h
index 8c42b39..70675d8 100644
--- a/doc/wearable/key-manager-control_doc.h
+++ b/doc/key-manager-control_doc.h
@@ -16,7 +16,6 @@
#ifndef __TIZEN_CORE_KEY_MANAGER_CONTROL_DOC_H__
#define __TIZEN_CORE_KEY_MANAGER_CONTROL_DOC_H__
/**
- * @internal
* @ingroup CAPI_KEY_MANAGER_MODULE
* @defgroup CAPI_KEY_MANAGER_CONTROL_MODULE Key Manager Control
* @brief These APIs control the key manager state (Unlocked/Locked) and reflects the user's password change.
diff --git a/doc/mobile/key-manager-types_doc.h b/doc/key-manager-types_doc.h
index c13d822..c13d822 100644
--- a/doc/mobile/key-manager-types_doc.h
+++ b/doc/key-manager-types_doc.h
diff --git a/doc/mobile/key-manager_doc.h b/doc/key-manager_doc.h
index 9c2723d..81e2979 100644
--- a/doc/mobile/key-manager_doc.h
+++ b/doc/key-manager_doc.h
@@ -73,9 +73,7 @@
* Alias Format
* - The format of alias is "package_id name".
* - If package_id is not provided by a client, the key-manager will add the package_id of the client to the name internally.
- * - Alias should not include whitespace except the case of using as delimiter between package_id and name.
- * - If the client use "package_id name" format of alias when saving something in key-manager, the client should use package_id of the client itself.
- If the client doesn't, key-manager will return error code related to input parameter error.
+ * - The client can specify only its own package id in the alias when storing a key, certificate, or data.
* - A client should specify the package id of the owner in the alias to retrieve a a key, certificate, or data shared by other applications.
* - Aliases are returned as the format of "package_id name" from the key-manager.
*
diff --git a/doc/mobile/key-manager-control_doc.h b/doc/mobile/key-manager-control_doc.h
deleted file mode 100644
index 8c42b39..0000000
--- a/doc/mobile/key-manager-control_doc.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the License);
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an AS IS BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#ifndef __TIZEN_CORE_KEY_MANAGER_CONTROL_DOC_H__
-#define __TIZEN_CORE_KEY_MANAGER_CONTROL_DOC_H__
-/**
- * @internal
- * @ingroup CAPI_KEY_MANAGER_MODULE
- * @defgroup CAPI_KEY_MANAGER_CONTROL_MODULE Key Manager Control
- * @brief These APIs control the key manager state (Unlocked/Locked) and reflects the user's password change.
- *
- * @section CAPI_KEY_MANAGER_CONTROL_MODULE_HEADER Required Header
- * \#include <ckmc/ckmc-control.h>
- *
- * @section CAPI_KEY_MANAGER_CONTROL_MODULE_OVERVIEW Overview
- * It provides APIs encrypting, decrypting, and re-encrypting a DKEK (with which a user's data file is encrypted).
- * When a user logs in for the first time, the DKEK will be generated randomly.
- */
-
-#endif /* __TIZEN_CORE_KEY_MANAGER_CONTROL_DOC_H__ */
diff --git a/doc/wearable/images/capi_key_manager_overview_diagram.png b/doc/wearable/images/capi_key_manager_overview_diagram.png
deleted file mode 100755
index 9453909..0000000
--- a/doc/wearable/images/capi_key_manager_overview_diagram.png
+++ /dev/null
Binary files differ
diff --git a/doc/wearable/key-manager-client_doc.h b/doc/wearable/key-manager-client_doc.h
deleted file mode 100644
index 25d2084..0000000
--- a/doc/wearable/key-manager-client_doc.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the License);
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an AS IS BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#ifndef __TIZEN_CORE_KEY_MANAGER_CLIENT_DOC_H__
-#define __TIZEN_CORE_KEY_MANAGER_CLIENT_DOC_H__
-/**
- * @ingroup CAPI_KEY_MANAGER_MODULE
- * @defgroup CAPI_KEY_MANAGER_CLIENT_MODULE Key Manager Client
- * @brief It provides APIs accessing on the secure repository and additional secure cryptographic operations.
- *
- * @section CAPI_KEY_MANAGER_CLIENT_MODULE_HEADER Required Header
- * \#include <ckmc/ckmc-manager.h>
- *
- * @section CAPI_KEY_MANAGER_CLIENT_MODULE_OVERVIEW Overview
- * It provides APIs for storing, getting, and removing APIs for keys, certificates, and sensitive data on/from the Key Manager secure repository which is protected by a user’s passwords.
- * Additionally, it provides secure cryptographic operations for non-exportable keys without revealing key values to clients.
- */
-
-#endif /* __TIZEN_CORE_KEY_MANAGER_CLIENT_DOC_H__ */
diff --git a/doc/wearable/key-manager-types_doc.h b/doc/wearable/key-manager-types_doc.h
deleted file mode 100644
index c13d822..0000000
--- a/doc/wearable/key-manager-types_doc.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the License);
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an AS IS BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#ifndef __TIZEN_CORE_KEY_MANAGER_TYPES_DOC_H__
-#define __TIZEN_CORE_KEY_MANAGER_TYPES_DOC_H__
-/**
- * @ingroup CAPI_KEY_MANAGER_MODULE
- * @defgroup CAPI_KEY_MANAGER_TYPES_MODULE Key Manager Data Types
- * @brief It defines data types used in these APIs and provides utility methods handling them.
- *
- * @section CAPI_KEY_MANAGER_TYPES_MODULE_HEADER Required Header
- * \#include <ckmc/ckmc-type.h>
- *
- * @section CAPI_KEY_MANAGER_TYPES_MODULE_OVERVIEW Overview
- * It defines data types for key, certificate,raw buffer, and linked list used in these APIs.
- * It also provides new and free methods for them.
- *
- */
-
-#endif /* __TIZEN_CORE_KEY_MANAGER_TYPES_DOC_H__ */
diff --git a/doc/wearable/key-manager_doc.h b/doc/wearable/key-manager_doc.h
deleted file mode 100644
index 9c2723d..0000000
--- a/doc/wearable/key-manager_doc.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the License);
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an AS IS BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#ifndef __TIZEN_CORE_KEY_MANAGER_DOC_H__
-#define __TIZEN_CORE_KEY_MANAGER_DOC_H__
-/**
- * @ingroup CAPI_SECURITY_FRAMEWORK
- * @defgroup CAPI_KEY_MANAGER_MODULE Key Manager
- * @brief The key manager provides a secure repository protected by a user’s passwords for keys, certificates, and sensitive data of users and/or their APPs.
- * Additionally, the key manager provides secure cryptographic operations for non-exportable keys without revealing key values to clients.
- *
- * @section CAPI_KEY_MANAGER_MODULE_OVERVIEW Overview
- * <table>
- * <tr><th>API</th><th>Description</th></tr>
- * <tr>
- * <td> @ref CAPI_KEY_MANAGER_CLIENT_MODULE</td>
- * <td> Provides APIs for accessing the secure repository and additional secure cryptographic operations.</td>
- * </tr>
- * <tr>
- * <td> @ref CAPI_KEY_MANAGER_TYPES_MODULE</td>
- * <td> Defines data types used in these APIs and provides utility methods handling them.</td>
- * </tr>
- * </table>
- *
- * It provides a secure repository for keys, certificates, and sensitive data of users and/or their APPs which are protected by a user’s passwords.
- * Additionally, it provides secure cryptographic operations for non-exportable keys without revealing key values to clients.
- *
- * @image html capi_key_manager_overview_diagram.png
- *
- * The key manager provides 2 types of API.
- * - secure repository APIs : These APIs provides storing, retrieving, and removing functions for keys, certificates, and data.
- * - secure crypto APIs : These APIs provides additional cryptographic operations (create asymmetric key pair, sign/verify signature, verify certificate).
- *
- * Data Store Policy:
- * A client can specify simple access rules when storing a data in Key Manager.
- * - Exportable/Non-Exportable:
- * Only for data tagged as exportable, Key Manager returns the raw value of the data.
- * If data is tagged as non-exportable, Key Manager does not return its raw value.
- * In that case, Key Manager provides secure cryptographic operations for non-exportable keys without revealing key values to clients.
- * - Per Key Password:
- * All data in Key Manager is protected by a user’s password.
- * Besides, a client can encrypt its data using its own password additionally.
- * If a client provides a password when storing a data, the data will be encrypted with the password.
- * This password should be provided when get the data from Key Manager.
- *
- * User Login/Logout and Data Protection
- * - When a user logs in, logs out or changes his/her password, Key Manager should know about it.
- * Privileged APPs such as LockScreen APP or Setting APP can notify the key manager using these control APIs.
- * - When a user logs in, the key manager decrypts the user's DKEK (with which a user's data file is encrypted) with a user password.
- * So during the login period, any client can access its data which is protected by a user's password.
- * "user key" in API means DKEK.
- * - When a user logs out, the key manager removes the user's DKEK from memory.
- * Therefore, clients cannot access any data.
- * - When a user changes his/her password, the key manager re-encrypts the user's DKEK with the new password.
- *
- * Data Access Control
- * - By default, only the owner of a data can access to the data.
- * - If the owner grants the access to other applications, those applications can read or delete the data from key-manager DB.
- * - When an application is deleted, the data and access control information granted by the application are also removed.
- *
- * Alias Format
- * - The format of alias is "package_id name".
- * - If package_id is not provided by a client, the key-manager will add the package_id of the client to the name internally.
- * - Alias should not include whitespace except the case of using as delimiter between package_id and name.
- * - If the client use "package_id name" format of alias when saving something in key-manager, the client should use package_id of the client itself.
- If the client doesn't, key-manager will return error code related to input parameter error.
- * - A client should specify the package id of the owner in the alias to retrieve a a key, certificate, or data shared by other applications.
- * - Aliases are returned as the format of "package_id name" from the key-manager.
- *
- */
-
-#endif /* __TIZEN_CORE_KEY_MANAGER_DOC_H__ */
diff --git a/packaging/key-manager-listener.manifest b/packaging/key-manager-listener.manifest
deleted file mode 100644
index c3b5d51..0000000
--- a/packaging/key-manager-listener.manifest
+++ /dev/null
@@ -1,13 +0,0 @@
-<manifest>
- <define>
- <domain name="key-manager-listener" />
- <request>
- <smack request="pkgmgr::info" type="r" />
- <smack request="pkgmgr::db" type="rlx" />
- <smack request="ail::db" type="rlx" />
- </request>
- </define>
- <request>
- <domain name="key-manager-listener" />
- </request>
-</manifest>
diff --git a/packaging/key-manager.manifest b/packaging/key-manager.manifest
index 195c0a5..9e277de 100644
--- a/packaging/key-manager.manifest
+++ b/packaging/key-manager.manifest
@@ -3,15 +3,27 @@
<domain name="key-manager"/>
<request>
<smack request="system::use_internet" type="w"/>
+ <smack request="device::app_logging" type="rw"/>
+ <smack request="device::sys_logging" type="rw"/>
+ <smack request="security-server" type="rx"/>
+ <smack request="sys-assert::core" type="rwxat"/>
+ <smack request="pkgmgr::info" type="r" />
+ <smack request="pkgmgr::db" type="rlx" />
+ <smack request="key-manager::api-control" type="w"/>
+ <smack request="ca-certificates::ssl-certs" type="rx"/>
+ <smack request="systemd" type="rx"/>
+ <smack request="connman" type="w"/>
</request>
<permit>
<smack permit="system::use_internet" type="w"/>
+ <smack permit="connman" type="w"/>
</permit>
</define>
<request>
<domain name="key-manager" />
</request>
<assign>
- <filesystem path="/etc/opt/upgrade/230.key-manager-migrate-dkek.patch.sh" label="_" exec_label="_"/>
+ <filesystem path="/etc/opt/upgrade/230.key-manager-migrate-dkek.patch.sh" label="_" exec_label="none"/>
+ <filesystem path="/opt/data/ckm" label="key-manager" type="transmutable"/>
</assign>
</manifest>
diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec
index 1d7728a..7a99765 100644
--- a/packaging/key-manager.spec
+++ b/packaging/key-manager.spec
@@ -1,3 +1,5 @@
+%define ckm_build_internal_test 0
+
Name: key-manager
Summary: Central Key Manager and utilities
Version: 0.1.13
@@ -6,20 +8,16 @@ Group: System/Security
License: Apache-2.0 and BSL-1.0 and PD
Source0: %{name}-%{version}.tar.gz
Source1001: key-manager.manifest
-Source1002: key-manager-listener.manifest
-Source1003: libkey-manager-client.manifest
-Source1004: libkey-manager-common.manifest
+Source1002: libkey-manager-client.manifest
+Source1003: libkey-manager-common.manifest
BuildRequires: cmake
-BuildRequires: zip
-BuildRequires: pkgconfig(dlog)
BuildRequires: pkgconfig(openssl)
-BuildRequires: libattr-devel
-BuildRequires: pkgconfig(libsmack)
BuildRequires: pkgconfig(libsystemd-daemon)
-BuildRequires: pkgconfig(libsystemd-journal)
+BuildRequires: pkgconfig(vasum)
+BuildRequires: pkgconfig(capi-system-info)
BuildRequires: boost-devel
-BuildRequires: pkgconfig(security-server)
-BuildRequires: model-build-features
+BuildRequires: pkgconfig(glib-2.0)
+BuildRequires: pkgconfig(pkgmgr)
Requires: libkey-manager-common = %{version}-%{release}
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
@@ -30,23 +28,13 @@ Central Key Manager daemon could be used as secure storage
for certificate and private/public keys. It gives API for
application to sign and verify (DSA/RSA/ECDSA) signatures.
-%package -n key-manager-listener
-License: Apache-2.0
-Summary: Package with listener daemon
-Group: System/Security
-BuildRequires: pkgconfig(glib-2.0)
-BuildRequires: pkgconfig(capi-appfw-package-manager)
-Requires: libkey-manager-client = %{version}-%{release}
-
-%description -n key-manager-listener
-Listener for central key manager. This daemon is responsible for
-receive notification from dbus about uninstall application
-and pass them to key-manager daemon.
-
%package -n libkey-manager-common
License: Apache-2.0
Summary: Central Key Manager (common libraries)
Group: Development/Libraries
+BuildRequires: pkgconfig(dlog)
+BuildRequires: pkgconfig(libcrypto)
+BuildRequires: pkgconfig(libsystemd-journal)
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
@@ -57,6 +45,8 @@ Central Key Manager package (common library)
License: Apache-2.0
Summary: Central Key Manager (client)
Group: Development/Libraries
+BuildRequires: pkgconfig(capi-base-common)
+BuildRequires: pkgconfig(security-server)
Requires: key-manager = %{version}-%{release}
Requires: libkey-manager-common = %{version}-%{release}
Requires(post): /sbin/ldconfig
@@ -70,44 +60,52 @@ License: Apache-2.0
Summary: Central Key Manager (client-devel)
Group: Development/Libraries
BuildRequires: pkgconfig(capi-base-common)
-Requires: pkgconfig(capi-base-common)
Requires: libkey-manager-client = %{version}-%{release}
%description -n libkey-manager-client-devel
Central Key Manager package (client-devel)
+%if 0%{?ckm_build_internal_test}
%package -n key-manager-tests
License: Apache-2.0 and BSL-1.0
Summary: Internal test for key-manager
Group: Development
-Requires: boost-test
+BuildRequires: boost-test
Requires: key-manager = %{version}-%{release}
%description -n key-manager-tests
Internal test for key-manager implementation.
+%endif
%prep
%setup -q
cp -a %{SOURCE1001} .
cp -a %{SOURCE1002} .
cp -a %{SOURCE1003} .
-cp -a %{SOURCE1004} .
%build
export CFLAGS="$CFLAGS -DTIZEN_DEBUG_ENABLE"
export CXXFLAGS="$CXXFLAGS -DTIZEN_DEBUG_ENABLE"
export FFLAGS="$FFLAGS -DTIZEN_DEBUG_ENABLE"
+
export LDFLAGS+="-Wl,--rpath=%{_libdir},-Bsymbolic-functions "
+# password protection enabled
+%define ckm_password_protection_disable 0
+# zone disabled on 2.4
+%define ckm_db_per_zone_enable 0
%cmake . -DVERSION=%{version} \
-DCMAKE_BUILD_TYPE=%{?build_type:%build_type}%{!?build_type:RELEASE} \
-DCMAKE_VERBOSE_MAKEFILE=ON \
-%if "%{?tizen_profile_name}" == "wearable"
- -DPROFILE_TARGET=WEARABLE \
+%if 0%{?ckm_password_protection_disable}
+ -DPASSWORD_PROTECTION_DISABLE=1 \
%endif
-%if "%{?model_build_feature_formfactor}" == "circle"
- -DFORM_FACTOR=CIRCLE \
+%if 0%{?ckm_db_per_zone_enable}
+ -DDB_PER_ZONE_ENABLE=1 \
+%endif
+%if 0%{?ckm_build_internal_test}
+ -DCKM_BUILD_INTERNAL_TEST=1 \
%endif
-DSYSTEMD_UNIT_DIR=%{_unitdir} \
-DSYSTEMD_ENV_FILE="/etc/sysconfig/central-key-manager"
@@ -121,21 +119,23 @@ cp LICENSE %{buildroot}/usr/share/license/%{name}
cp LICENSE.BSL-1.0 %{buildroot}/usr/share/license/%{name}.BSL-1.0
cp LICENSE %{buildroot}/usr/share/license/libkey-manager-client
cp LICENSE %{buildroot}/usr/share/license/libkey-manager-control-client
-mkdir -p %{buildroot}/etc/security/
mkdir -p %{buildroot}/usr/share/ckm/scripts
cp data/scripts/*.sql %{buildroot}/usr/share/ckm/scripts
+
+%if 0%{?ckm_build_internal_test}
mkdir -p %{buildroot}/usr/share/ckm-db-test
cp tests/testme_ver1.db %{buildroot}/usr/share/ckm-db-test/
cp tests/testme_ver2.db %{buildroot}/usr/share/ckm-db-test/
+%endif
%make_install
mkdir -p %{buildroot}%{_unitdir}/multi-user.target.wants
mkdir -p %{buildroot}%{_unitdir}/sockets.target.wants
ln -s ../central-key-manager.service %{buildroot}%{_unitdir}/multi-user.target.wants/central-key-manager.service
-ln -s ../central-key-manager-listener.service %{buildroot}%{_unitdir}/multi-user.target.wants/central-key-manager-listener.service
ln -s ../central-key-manager-api-control.socket %{buildroot}%{_unitdir}/sockets.target.wants/central-key-manager-api-control.socket
ln -s ../central-key-manager-api-storage.socket %{buildroot}%{_unitdir}/sockets.target.wants/central-key-manager-api-storage.socket
ln -s ../central-key-manager-api-ocsp.socket %{buildroot}%{_unitdir}/sockets.target.wants/central-key-manager-api-ocsp.socket
+mkdir -p %{buildroot}/opt/data/ckm
%clean
rm -rf %{buildroot}
@@ -175,35 +175,13 @@ fi
%postun -n libkey-manager-common -p /sbin/ldconfig
-%post -n key-manager-listener
-systemctl daemon-reload
-if [ $1 = 1 ]; then
- # installation
- systemctl start central-key-manager-listener.service
-fi
-if [ $1 = 2 ]; then
- # update
- systemctl restart central-key-manager-listener.service
-fi
-
-%preun -n key-manager-listener
-if [ $1 = 0 ]; then
- # unistall
- systemctl stop central-key-manager-listener.service
-fi
-
-%postun -n key-manager-listener
-if [ $1 = 0 ]; then
- # unistall
- systemctl daemon-reload
-fi
%files -n key-manager
%manifest key-manager.manifest
+%defattr(-,system,system,-)
%{_bindir}/key-manager
%{_unitdir}/multi-user.target.wants/central-key-manager.service
%{_unitdir}/central-key-manager.service
-%{_unitdir}/central-key-manager.target
%{_unitdir}/sockets.target.wants/central-key-manager-api-control.socket
%{_unitdir}/central-key-manager-api-control.socket
%{_unitdir}/sockets.target.wants/central-key-manager-api-storage.socket
@@ -212,22 +190,18 @@ fi
%{_unitdir}/central-key-manager-api-ocsp.socket
%{_datadir}/license/%{name}
%{_datadir}/license/%{name}.BSL-1.0
-%{_datadir}/ckm/scripts/*.sql
-%attr(444, root, root) %{_datadir}/ckm/scripts/*.sql
+%attr(444, system, system) %{_datadir}/ckm/scripts/*.sql
/etc/opt/upgrade/230.key-manager-migrate-dkek.patch.sh
-
-%files -n key-manager-listener
-%manifest key-manager-listener.manifest
-%{_bindir}/key-manager-listener
-%{_unitdir}/multi-user.target.wants/central-key-manager-listener.service
-%{_unitdir}/central-key-manager-listener.service
+%attr(700, system, system) /opt/data/ckm
%files -n libkey-manager-common
%manifest libkey-manager-common.manifest
+%defattr(-,system,system,-)
%{_libdir}/libkey-manager-common.so.*
%files -n libkey-manager-client
%manifest libkey-manager-client.manifest
+%defattr(-,system,system,-)
%{_libdir}/libkey-manager-client.so.*
%{_libdir}/libkey-manager-control-client.so.*
%{_libdir}/libsecurity-server-plugin.so*
@@ -235,7 +209,7 @@ fi
%{_datadir}/license/libkey-manager-control-client
%files -n libkey-manager-client-devel
-%defattr(-,root,root,-)
+%defattr(-,system,system,-)
%{_libdir}/libkey-manager-client.so
%{_libdir}/libkey-manager-control-client.so
%{_libdir}/libkey-manager-common.so
@@ -248,6 +222,7 @@ fi
%{_includedir}/ckm/ckm/ckm-password.h
%{_includedir}/ckm/ckm/ckm-pkcs12.h
%{_includedir}/ckm/ckm/ckm-raw-buffer.h
+%{_includedir}/ckm/ckm/ckm-client-info.h
%{_includedir}/ckm/ckm/ckm-type.h
%{_includedir}/ckm/ckmc/ckmc-manager.h
%{_includedir}/ckm/ckmc/ckmc-control.h
@@ -255,9 +230,12 @@ fi
%{_includedir}/ckm/ckmc/ckmc-type.h
%{_libdir}/pkgconfig/*.pc
+%if 0%{?ckm_build_internal_test}
%files -n key-manager-tests
-%defattr(-,root,root,-)
+%defattr(-,system,system,-)
%{_bindir}/ckm-tests-internal
+%{_bindir}/ckm-tests-lcov-internal
%{_datadir}/ckm-db-test/testme_ver1.db
%{_datadir}/ckm-db-test/testme_ver2.db
%{_bindir}/ckm_so_loader
+%endif
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 147638b..cb8c377 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -1,12 +1,19 @@
PKG_CHECK_MODULES(KEY_MANAGER_DEP
- dlog
+ REQUIRED
openssl
- libsmack
- libcrypto
libsystemd-daemon
- capi-base-common
+ vasum
+ capi-system-info
+ glib-2.0
+ dlog
+ pkgmgr
+ )
+
+PKG_CHECK_MODULES(KEY_MANAGER_CLIENT_DEP
REQUIRED
+ capi-base-common
)
+
FIND_PACKAGE(Threads REQUIRED)
SET(KEY_MANAGER_SRC_PATH ${PROJECT_SOURCE_DIR}/src)
@@ -16,7 +23,6 @@ SET(KEY_MANAGER_SOURCES
${KEY_MANAGER_PATH}/main/generic-socket-manager.cpp
${KEY_MANAGER_PATH}/main/socket-manager.cpp
${KEY_MANAGER_PATH}/main/key-manager-main.cpp
- ${KEY_MANAGER_PATH}/main/smack-check.cpp
${KEY_MANAGER_PATH}/service/certificate-store.cpp
${KEY_MANAGER_PATH}/service/certificate-config.cpp
${KEY_MANAGER_PATH}/service/digest.cpp
@@ -32,6 +38,7 @@ SET(KEY_MANAGER_SOURCES
${KEY_MANAGER_PATH}/service/db-crypto.cpp
${KEY_MANAGER_PATH}/service/ocsp-service.cpp
${KEY_MANAGER_PATH}/service/ocsp-logic.cpp
+ ${KEY_MANAGER_PATH}/listener/listener-thread.cpp
${KEY_MANAGER_PATH}/dpl/core/src/assert.cpp
${KEY_MANAGER_PATH}/dpl/db/src/sql_connection.cpp
${KEY_MANAGER_PATH}/dpl/db/src/naive_synchronization_object.cpp
@@ -53,6 +60,7 @@ INCLUDE_DIRECTORIES(
${KEY_MANAGER_PATH}/main
${KEY_MANAGER_PATH}/common
${KEY_MANAGER_PATH}/service
+ ${KEY_MANAGER_PATH}/listener
${KEY_MANAGER_PATH}/sqlcipher
${KEY_MANAGER_PATH}/dpl/core/include
${KEY_MANAGER_PATH}/dpl/log/include
@@ -66,6 +74,7 @@ TARGET_LINK_LIBRARIES(${TARGET_KEY_MANAGER}
${CMAKE_THREAD_LIBS_INIT}
${KEY_MANAGER_DEP_LIBRARIES}
${TARGET_KEY_MANAGER_COMMON}
+ ${TARGET_KEY_MANAGER_CONTROL_CLIENT}
-ldl -pie
)
@@ -78,6 +87,10 @@ SET(KEY_MANAGER_CLIENT_SRC_PATH ${KEY_MANAGER_PATH}/client)
SET(KEY_MANAGER_CLIENT_ASYNC_SRC_PATH ${KEY_MANAGER_PATH}/client-async)
SET(KEY_MANAGER_CLIENT_CAPI_SRC_PATH ${KEY_MANAGER_PATH}/client-capi)
+INCLUDE_DIRECTORIES(SYSTEM
+ ${KEY_MANAGER_CLIENT_DEP_INCLUDE_DIRS}
+ )
+
INCLUDE_DIRECTORIES(
${KEY_MANAGER_PATH}/client
${KEY_MANAGER_PATH}/client-async
@@ -116,7 +129,7 @@ SET_TARGET_PROPERTIES(
)
TARGET_LINK_LIBRARIES(${TARGET_KEY_MANAGER_CLIENT}
- ${KEY_MANAGER_DEP_LIBRARIES}
+ ${KEY_MANAGER_CLIENT_DEP_LIBRARIES}
${TARGET_KEY_MANAGER_COMMON}
)
@@ -154,7 +167,7 @@ SET_TARGET_PROPERTIES(
)
TARGET_LINK_LIBRARIES(${TARGET_KEY_MANAGER_CONTROL_CLIENT}
- ${KEY_MANAGER_DEP_LIBRARIES}
+ ${KEY_MANAGER_CLIENT_DEP_LIBRARIES}
${TARGET_KEY_MANAGER_COMMON}
)
@@ -175,9 +188,11 @@ INSTALL(FILES
${KEY_MANAGER_SRC_PATH}/include/ckm/ckm-password.h
${KEY_MANAGER_SRC_PATH}/include/ckm/ckm-pkcs12.h
${KEY_MANAGER_SRC_PATH}/include/ckm/ckm-raw-buffer.h
+ ${KEY_MANAGER_SRC_PATH}/include/ckm/ckm-client-info.h
${KEY_MANAGER_SRC_PATH}/include/ckm/ckm-type.h
DESTINATION /usr/include/ckm/ckm
)
+
INSTALL(FILES
${KEY_MANAGER_SRC_PATH}/include/ckmc/ckmc-manager.h
${KEY_MANAGER_SRC_PATH}/include/ckmc/ckmc-control.h
@@ -188,5 +203,4 @@ INSTALL(FILES
################################################################################
ADD_SUBDIRECTORY(manager)
-ADD_SUBDIRECTORY(listener)
ADD_SUBDIRECTORY(plugin)
diff --git a/src/include/ckm/ckm-client-info.h b/src/include/ckm/ckm-client-info.h
new file mode 100644
index 0000000..c6c7e2b
--- /dev/null
+++ b/src/include/ckm/ckm-client-info.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ *
+ *
+ * @file ckm-client-info.h
+ * @author Kyungwook Tak (k.tak@samsung.com)
+ * @version 1.0
+ * @brief ClientInfo implementation.
+ */
+#pragma once
+
+#include <string>
+
+#include <sys/types.h>
+
+#include <ckm/ckm-type.h>
+
+namespace CKM {
+
+// ClientInfo consists of (zone name & uid)
+class KEY_MANAGER_API ClientInfo {
+public:
+ ClientInfo() = delete;
+
+ ClientInfo(const uid_t uid);
+
+ ClientInfo(const std::string &zone, const uid_t uid);
+
+ virtual ~ClientInfo();
+
+ uid_t getUID() const;
+
+ ClientID getClientID() const;
+
+ std::string getZone() const;
+
+private:
+ const static std::string ZONE_DEFAULT;
+ const static std::string DELIMITER;
+ std::string m_zone;
+ uid_t m_uid;
+
+};
+
+
+} // namespace CKM
diff --git a/src/include/ckm/ckm-control.h b/src/include/ckm/ckm-control.h
index 67250fe..15dfda9 100644
--- a/src/include/ckm/ckm-control.h
+++ b/src/include/ckm/ckm-control.h
@@ -25,6 +25,7 @@
#include <memory>
#include <ckm/ckm-error.h>
+#include <ckm/ckm-client-info.h>
#include <ckm/ckm-type.h>
// Central Key Manager namespace
@@ -38,32 +39,32 @@ class KEY_MANAGER_API Control
{
public:
// decrypt user key with password
- virtual int unlockUserKey(uid_t user, const Password &password) = 0;
+ virtual int unlockUserKey(const ClientInfo &clientInfo, const Password &password) = 0;
// remove user key from memory
- virtual int lockUserKey(uid_t user) = 0;
+ virtual int lockUserKey(const ClientInfo &clientInfo) = 0;
// remove user data from Store and erase key used for encryption
- virtual int removeUserData(uid_t user) = 0;
+ virtual int removeUserData(const ClientInfo &clientInfo) = 0;
// change password for user
- virtual int changeUserPassword(uid_t user, const Password &oldPassword, const Password &newPassword) = 0;
+ virtual int changeUserPassword(const ClientInfo &clientInfo, const Password &oldPassword, const Password &newPassword) = 0;
// This is work around for security-server api - resetPassword that may be called without passing oldPassword.
// This api should not be supported on tizen 3.0
// User must be already logged in and his DKEK is already loaded into memory in plain text form.
// The service will use DKEK in plain text and encrypt it in encrypted form (using new password).
- virtual int resetUserPassword(uid_t user, const Password &newPassword) = 0;
+ virtual int resetUserPassword(const ClientInfo &clientInfo, const Password &newPassword) = 0;
// Required for tizen 2.3.
// It will remove all application data owned by application identified
// by smackLabel. This function will remove application data from unlocked
// database only. This function may be used during application uninstallation.
- virtual int removeApplicationData(const std::string &smackLabel) = 0;
+ virtual int removeApplicationData(const std::string &zone, const Label &smackLabel) = 0;
virtual int updateCCMode() = 0;
- virtual int setPermission(uid_t user,
+ virtual int setPermission(const ClientInfo &clientInfo,
const Alias &alias,
const Label &accessor,
PermissionMask permissionMask) = 0;
diff --git a/src/include/ckm/ckm-error.h b/src/include/ckm/ckm-error.h
index 671ec25..372bd98 100644
--- a/src/include/ckm/ckm-error.h
+++ b/src/include/ckm/ckm-error.h
@@ -93,6 +93,9 @@ extern "C" {
/*! \brief indicating that files are corrupted or access to files was denied */
#define CKM_API_ERROR_FILE_SYSTEM -20
+/*! \brief indicating that device needed to run API is not supported */
+#define CKM_API_ERROR_NOT_SUPPORTED -21
+
#define CKM_API_OCSP_STATUS_GOOD (1<<0)
#define CKM_API_OCSP_STATUS_UNSUPPORTED (1<<1)
#define CKM_API_OCSP_STATUS_UNKNOWN (1<<2)
diff --git a/src/include/ckm/ckm-type.h b/src/include/ckm/ckm-type.h
index 53b87a7..1dbba03 100644
--- a/src/include/ckm/ckm-type.h
+++ b/src/include/ckm/ckm-type.h
@@ -35,6 +35,7 @@ namespace CKM {
typedef std::vector<RawBuffer> RawBufferVector;
typedef std::string Alias;
typedef std::string Label;
+typedef std::string ClientID;
typedef std::vector<Alias> AliasVector;
enum class KeyType : int {
diff --git a/src/include/ckmc/ckmc-control.h b/src/include/ckmc/ckmc-control.h
index 0424e2c..6666950 100644
--- a/src/include/ckmc/ckmc-control.h
+++ b/src/include/ckmc/ckmc-control.h
@@ -33,7 +33,6 @@ extern "C" {
#endif
/**
- * @internal
* @addtogroup CAPI_KEY_MANAGER_CONTROL_MODULE
* @{
*/
@@ -43,7 +42,7 @@ extern "C" {
* A decrypted user key exists only on memory. If this API is called for the first time, a
* user key will be generated internally.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel platform
* @privilege %http://tizen.org/privilege/keymanager.admin
*
@@ -72,7 +71,7 @@ int ckmc_unlock_user_key(uid_t user, const char *password);
/**
* @brief Removes a decrypted user key(DKEK) from memory
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel platform
* @privilege %http://tizen.org/privilege/keymanager.admin
*
@@ -95,7 +94,7 @@ int ckmc_lock_user_key(uid_t user);
/**
* @brief Removes user data from Store and erases a user key(DKEK) used for encryption.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel platform
* @privilege %http://tizen.org/privilege/keymanager.admin
*
@@ -120,7 +119,7 @@ int ckmc_remove_user_data(uid_t user);
* The key manager decrypts a user key (DKEK) with old password and re-encrypts a user key
* with new password.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel platform
* @privilege %http://tizen.org/privilege/keymanager.admin
*
@@ -147,7 +146,7 @@ int ckmc_change_user_password(uid_t user, const char *old_password, const char *
/**
* @brief Changes a password for a user without old password.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel platform
* @privilege %http://tizen.org/privilege/keymanager.admin
*
@@ -173,9 +172,10 @@ int ckmc_change_user_password(uid_t user, const char *old_password, const char *
int ckmc_reset_user_password(uid_t user, const char *new_password);
/**
+ * @deprecated, see ckmc_set_permission_by_adm()
* @brief Allows another application to access client's application data
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel platform
* @privilege %http://tizen.org/privilege/keymanager.admin
*
@@ -198,9 +198,8 @@ int ckmc_reset_user_password(uid_t user, const char *new_password);
*
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
- * @see ckmc_allow_access()
- * @see ckmc_deny_access()
- * @see ckmc_deny_access_by_adm()
+ * @see ckmc_set_permission_by_adm()
+ * @see ckmc_set_permission()
*/
int ckmc_allow_access_by_adm(uid_t user,
const char *owner,
@@ -209,9 +208,43 @@ int ckmc_allow_access_by_adm(uid_t user,
ckmc_access_right_e granted);
/**
+ * @brief Allows another application to access client's application data
+ *
+ * @since_tizen 3.0
+ * @privlevel platform
+ * @privilege %http://tizen.org/privilege/keymanager.admin
+ *
+ * @remarks Data identified by @a alias should exist
+ * @remarks @a alias must contain owner label (<owner label><ckmc_label_name_separator><name>)
+ *
+ * @param[in] user User ID of a user whose data will be affected
+ * @param[in] alias Data alias for which access will be granted
+ * @param[in] accessor Package id of the application that will gain access rights
+ * @param[in] permissions Mask of permissions granted for @a accessor application
+ * (@a ckmc_permission_e)
+ * (previous permission mask will be replaced with the new mask value)
+ *
+ * @return @c 0 on success, otherwise a negative error value
+ *
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
+ * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged
+ * in)
+ * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist
+ * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
+ *
+ * @pre User is already logged in and the user key is already loaded into memory in plain text form.
+ *
+ * @see ckmc_set_permission()
+ */
+int ckmc_set_permission_by_adm(uid_t user, const char *alias, const char *accessor, int mask);
+
+
+/**
+ * @deprecated, see ckmc_set_permission_by_adm()
* @brief Revokes another application's access to client's application data
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel platform
* @privilege %http://tizen.org/privilege/keymanager.admin
*
@@ -235,9 +268,8 @@ int ckmc_allow_access_by_adm(uid_t user,
*
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
- * @see ckmc_allow_access()
- * @see ckmc_deny_access()
- * @see ckmc_allow_access_by_adm()
+ * @see ckmc_set_permission()
+ * @see ckmc_set_permission_by_adm()
*/
int ckmc_deny_access_by_adm(uid_t user, const char *owner, const char *alias, const char *accessor);
diff --git a/src/include/ckmc/ckmc-error.h b/src/include/ckmc/ckmc-error.h
index 8c95db7..8a5729b 100644
--- a/src/include/ckmc/ckmc-error.h
+++ b/src/include/ckmc/ckmc-error.h
@@ -33,7 +33,7 @@ extern "C" {
/**
* @brief Enumeration for Key Manager Errors.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef enum{
@@ -41,6 +41,7 @@ typedef enum{
CKMC_ERROR_INVALID_PARAMETER = TIZEN_ERROR_INVALID_PARAMETER, /**< Invalid function parameter */
CKMC_ERROR_OUT_OF_MEMORY = TIZEN_ERROR_OUT_OF_MEMORY, /**< Out of memory */
CKMC_ERROR_PERMISSION_DENIED = TIZEN_ERROR_PERMISSION_DENIED, /**< Permission denied */
+ CKMC_ERROR_NOT_SUPPORTED = TIZEN_ERROR_NOT_SUPPORTED, /**< Device needed to run API is not supported*/
CKMC_ERROR_SOCKET = TIZEN_ERROR_KEY_MANAGER | 0x01, /**< Socket error between client and Central Key Manager */
CKMC_ERROR_BAD_REQUEST = TIZEN_ERROR_KEY_MANAGER | 0x02, /**< Invalid request from client */
diff --git a/src/include/ckmc/ckmc-manager.h b/src/include/ckmc/ckmc-manager.h
index d0cd41f..c4a4580 100644
--- a/src/include/ckmc/ckmc-manager.h
+++ b/src/include/ckmc/ckmc-manager.h
@@ -15,7 +15,7 @@
*
*
* @file ckmc-manager.h
- * @version 1.0
+ * @version 1.2
* @brief Provides management functions(storing, retrieving, and removing) for keys,
* certificates and data of a user and additional crypto functions.
*/
@@ -25,11 +25,11 @@
#define __TIZEN_CORE_CKMC_MANAGER_H
#include <stddef.h>
+#include <stdbool.h>
#include <sys/types.h>
#include <tizen.h>
-#include <ckmc/ckmc-type.h>
#include <ckmc/ckmc-error.h>
-
+#include <ckmc/ckmc-type.h>
#ifdef __cplusplus
extern "C" {
#endif
@@ -43,7 +43,7 @@ extern "C" {
/**
* @brief Stores a key inside key manager based on the provided policy.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -61,8 +61,7 @@ extern "C" {
* @param[in] key The key's binary value to be stored
* @param[in] policy The policy about how to store a key securely
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -75,18 +74,20 @@ extern "C" {
*
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
- * @see ckmc_remove_key()
+ * @see ckmc_remove_alias()
* @see ckmc_get_key()
* @see ckmc_get_key_alias_list()
+ * @see ckmc_key_free()
* @see #ckmc_key_s
* @see #ckmc_policy_s
*/
int ckmc_save_key(const char *alias, const ckmc_key_s key, const ckmc_policy_s policy);
/**
+ * @deprecated Deprecated since 2.4. [Use ckmc_remove_alias() instead]
* @brief Removes a key from key manager.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -95,8 +96,7 @@ int ckmc_save_key(const char *alias, const ckmc_key_s key, const ckmc_policy_s p
*
* @param[in] alias The name of a key to be removed
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -111,13 +111,14 @@ int ckmc_save_key(const char *alias, const ckmc_key_s key, const ckmc_policy_s p
* @see ckmc_save_key()
* @see ckmc_get_key()
* @see ckmc_get_key_alias_list()
+ * @see ckmc_remove_alias()
*/
int ckmc_remove_key(const char *alias);
/**
* @brief Gets a key from key manager.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -128,11 +129,10 @@ int ckmc_remove_key(const char *alias);
* @param[in] alias The name of a key to retrieve
* @param[in] password The password used in decrypting a key value \n
* If password of policy is provided in ckmc_save_key(), the same password
- * should be provided.
- * @param[out] ppkey The pointer to a newly created ckmc_key_s handle
+ * should be provided
+ * @param[out] ppkey The pointer to a newly created #ckmc_key_s handle
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -142,20 +142,22 @@ int ckmc_remove_key(const char *alias);
* @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist
* @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
* @retval #CKMC_ERROR_AUTHENTICATION_FAILED
- * Decryption failed because password is incorrect.
+ * Decryption failed because password is incorrect
*
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
* @see ckmc_save_key()
- * @see ckmc_remove_key()
+ * @see ckmc_remove_alias()
* @see ckmc_get_key_alias_list()
+ * @see ckmc_key_free()
+ * @see #ckmc_key_s
*/
int ckmc_get_key(const char *alias, const char *password, ckmc_key_s **ppkey);
/**
* @brief Gets all the alias of keys that the client can access.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -163,12 +165,11 @@ int ckmc_get_key(const char *alias, const char *password, ckmc_key_s **ppkey);
* @remarks You must destroy the newly created @a ppalias_list by calling ckmc_alias_list_all_free()
* if it is no longer needed.
*
- * @param[out] ppalias_list The pointer to a newly created ckmc_alias_list_s handle containing all
+ * @param[out] ppalias_list The pointer to a newly created #ckmc_alias_list_s handle containing all
* available alias of keys \n
- * If there is no available key alias, *ppalias_list will be null.
+ * If there is no available key alias, @a *ppalias_list will be null
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -181,8 +182,10 @@ int ckmc_get_key(const char *alias, const char *password, ckmc_key_s **ppkey);
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
* @see ckmc_save_key()
- * @see ckmc_remove_key()
+ * @see ckmc_remove_alias()
* @see ckmc_get_key()
+ * @see ckmc_alias_list_all_free()
+ * @see #ckmc_alias_list_s
*/
int ckmc_get_key_alias_list(ckmc_alias_list_s** ppalias_list);
@@ -192,7 +195,7 @@ int ckmc_get_key_alias_list(ckmc_alias_list_s** ppalias_list);
/**
* @brief Stores a certificate inside key manager based on the provided policy.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -203,8 +206,7 @@ int ckmc_get_key_alias_list(ckmc_alias_list_s** ppalias_list);
* @param[in] cert The certificate's binary value to be stored
* @param[in] policy The policy about how to store a certificate securely
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -217,7 +219,7 @@ int ckmc_get_key_alias_list(ckmc_alias_list_s** ppalias_list);
*
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
- * @see ckmc_remove_cert()
+ * @see ckmc_remove_alias()
* @see ckmc_get_cert()
* @see ckmc_get_cert_alias_list()
* @see #ckmc_cert_s
@@ -226,9 +228,10 @@ int ckmc_get_key_alias_list(ckmc_alias_list_s** ppalias_list);
int ckmc_save_cert(const char *alias, const ckmc_cert_s cert, const ckmc_policy_s policy);
/**
+ * @deprecated Deprecated since 2.4. [Use ckmc_remove_alias() instead]
* @brief Removes a certificate from key manager.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -237,8 +240,7 @@ int ckmc_save_cert(const char *alias, const ckmc_cert_s cert, const ckmc_policy_
*
* @param[in] alias The name of a certificate to be removed
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -253,13 +255,14 @@ int ckmc_save_cert(const char *alias, const ckmc_cert_s cert, const ckmc_policy_
* @see ckmc_save_cert()
* @see ckmc_get_cert()
* @see ckmc_get_cert_alias_list()
+ * @see ckmc_remove_alias()
*/
int ckmc_remove_cert(const char *alias);
/**
* @brief Gets a certificate from key manager.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -271,11 +274,10 @@ int ckmc_remove_cert(const char *alias);
* @param[in] alias The name of a certificate to retrieve
* @param[in] password The password used in decrypting a certificate value \n
* If password of policy is provided in ckmc_save_cert(), the same password
- * should be provided.
- * @param[out] ppcert The pointer to a newly created ckmc_cert_s handle
+ * should be provided
+ * @param[out] ppcert The pointer to a newly created #ckmc_cert_s handle
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -285,20 +287,21 @@ int ckmc_remove_cert(const char *alias);
* @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exists
* @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
* @retval #CKMC_ERROR_AUTHENTICATION_FAILED
- * Decryption failed because password is incorrect.
+ * Decryption failed because password is incorrect
*
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
* @see ckmc_save_cert()
- * @see ckmc_remove_cert()
+ * @see ckmc_remove_alias()
* @see ckmc_get_cert_alias_list()
+ * @see #ckmc_cert_s
*/
int ckmc_get_cert(const char *alias, const char *password, ckmc_cert_s **ppcert);
/**
* @brief Gets all alias of certificates which the client can access.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -306,12 +309,11 @@ int ckmc_get_cert(const char *alias, const char *password, ckmc_cert_s **ppcert)
* @remarks You must destroy the newly created @a ppalias_list by calling ckmc_alias_list_all_free()
* if it is no longer needed.
*
- * @param[out] ppalias_list The pointer to a newly created ckmc_alias_list_s handle containing all
+ * @param[out] ppalias_list The pointer to a newly created #ckmc_alias_list_s handle containing all
* available alias of keys \n
- * If there is no available key alias, *ppalias_list will be null.
+ * If there is no available key alias, @a *ppalias_list will be null
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -324,17 +326,95 @@ int ckmc_get_cert(const char *alias, const char *password, ckmc_cert_s **ppcert)
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
* @see ckmc_save_cert()
- * @see ckmc_remove_cert()
+ * @see ckmc_remove_alias()
* @see ckmc_get_cert()
+ * @see ckmc_alias_list_all_free()
+ * @see #ckmc_alias_list_s
*/
int ckmc_get_cert_alias_list(ckmc_alias_list_s** ppalias_list);
+
+/**
+ * @brief Stores PKCS12's contents inside key manager based on the provided policies.
+ * All items from the PKCS12 will use the same alias.
+ *
+ * @since_tizen 2.4
+ * @privlevel public
+ * @privilege %http://tizen.org/privilege/keymanager
+ *
+ * @param[in] alias The name of a data to be stored
+ * @param[in] pkcs Pointer to the pkcs12 structure to be saved
+ * @param[in] key_policy The policy about how to store pkcs's private key
+ * @param[in] cert_policy The policy about how to store pkcs's certificate
+ *
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
+ *
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
+ * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged
+ * in)
+ * @retval #CKMC_ERROR_DB_ALIAS_EXISTS Alias already exists
+ * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error
+ * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
+ *
+ * @pre User is already logged in and the user key is already loaded into memory in plain text form.
+ *
+ * @see ckmc_remove_alias()
+ * @see ckmc_get_pkcs12()
+ * @see ckmc_get_data_alias_list()
+ * @see ckmc_pkcs12_load()
+ * @see #ckmc_pkcs12_s
+ * @see #ckmc_policy_s
+ */
+int ckmc_save_pkcs12(const char *alias,
+ const ckmc_pkcs12_s *pkcs,
+ const ckmc_policy_s key_policy,
+ const ckmc_policy_s cert_policy);
+
+/**
+ * @brief Gets a pkcs12 from key manager.
+ *
+ * @since_tizen 2.4
+ * @privlevel public
+ * @privilege %http://tizen.org/privilege/keymanager
+ *
+ * @remarks A client can access only data stored by the client.
+ * @remarks You must destroy the newly created @a pkcs12 by calling ckmc_pkcs12_free() if it is no
+ * longer needed.
+ *
+ * @param[in] alias The name of a data to retrieve
+ * @param[in] key_password Password that was used to encrypt privateKey (may be NULL)
+ * @param[in] cert_password Password used to encrypt certificates (may be NULL)
+ * @param[out] pkcs12 The pointer to a newly created #ckmc_pkcs12_s handle
+ *
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
+ *
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
+ * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged
+ * in)
+ * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error
+ * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist
+ * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
+ * @retval #CKMC_ERROR_AUTHENTICATION_FAILED
+ * keyPassword or certPassword does not match with password
+ * used to encrypt data
+ *
+ * @pre User is already logged in and the user key is already loaded into memory in plain text form.
+ *
+ * @see ckmc_save_pkcs12()
+ * @see ckmc_remove_alias()
+ * @see ckmc_pkcs12_free()
+ * @see #ckmc_pkcs12_s
+ */
+int ckmc_get_pkcs12(const char *alias, const char *key_password, const char *cert_password, ckmc_pkcs12_s **pkcs12);
+
/**
* @brief Stores a data inside key manager based on the provided policy.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -342,8 +422,7 @@ int ckmc_get_cert_alias_list(ckmc_alias_list_s** ppalias_list);
* @param[in] data The binary value to be stored
* @param[in] policy The policy about how to store a data securely
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -355,7 +434,7 @@ int ckmc_get_cert_alias_list(ckmc_alias_list_s** ppalias_list);
*
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
- * @see ckmc_remove_data()
+ * @see ckmc_remove_alias()
* @see ckmc_get_data()
* @see ckmc_get_data_alias_list()
* @see #ckmc_raw_buffer_s
@@ -364,9 +443,10 @@ int ckmc_get_cert_alias_list(ckmc_alias_list_s** ppalias_list);
int ckmc_save_data(const char *alias, ckmc_raw_buffer_s data, const ckmc_policy_s policy);
/**
+ * @deprecated Deprecated since 2.4. [Use ckmc_remove_alias() instead]
* @brief Removes a data from key manager.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -375,8 +455,7 @@ int ckmc_save_data(const char *alias, ckmc_raw_buffer_s data, const ckmc_policy_
*
* @param[in] alias The name of a data to be removed
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -391,13 +470,14 @@ int ckmc_save_data(const char *alias, ckmc_raw_buffer_s data, const ckmc_policy_
* @see ckmc_save_data()
* @see ckmc_get_data()
* @see ckmc_get_data_alias_list()
+ * @see ckmc_remove_alias()
*/
int ckmc_remove_data(const char *alias);
/**
* @brief Gets a data from key manager.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -408,11 +488,10 @@ int ckmc_remove_data(const char *alias);
* @param[in] alias The name of a data to retrieve
* @param[in] password The password used in decrypting a data value \n
* If password of policy is provided in ckmc_save_data(), the same password
- * should be provided.
- * @param[out] ppdata The pointer to a newly created ckmc_raw_buffer_s handle
+ * should be provided
+ * @param[out] ppdata The pointer to a newly created #ckmc_raw_buffer_s handle
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -426,15 +505,17 @@ int ckmc_remove_data(const char *alias);
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
* @see ckmc_save_data()
- * @see ckmc_remove_data()
+ * @see ckmc_remove_alias()
* @see ckmc_get_data_alias_list()
+ * @see ckmc_buffer_free()
+ * @see #ckmc_raw_buffer_s
*/
int ckmc_get_data(const char *alias, const char *password, ckmc_raw_buffer_s **ppdata);
/**
* @brief Gets all alias of data which the client can access.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -442,12 +523,11 @@ int ckmc_get_data(const char *alias, const char *password, ckmc_raw_buffer_s **p
* @remarks You must destroy the newly created @a ppalias_list by calling ckmc_alias_list_all_free()
* if it is no longer needed.
*
- * @param[out] ppalias_list The pointer to a newly created ckmc_alias_list_s handle containing all
+ * @param[out] ppalias_list The pointer to a newly created #ckmc_alias_list_s handle containing all
* available alias of keys \n
- * If there is no available key alias, *ppalias_list will be null.
+ * If there is no available key alias, @a *ppalias_list will be null
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -460,8 +540,10 @@ int ckmc_get_data(const char *alias, const char *password, ckmc_raw_buffer_s **p
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
* @see ckmc_save_data()
- * @see ckmc_remove_data()
+ * @see ckmc_remove_alias()
* @see ckmc_get_data()
+ * @see ckmc_alias_list_all_free()
+ * @see #ckmc_alias_list_s
*/
int ckmc_get_data_alias_list(ckmc_alias_list_s** ppalias_list);
@@ -472,7 +554,7 @@ int ckmc_get_data_alias_list(ckmc_alias_list_s** ppalias_list);
* @brief Creates RSA private/public key pair and stores them inside key manager based on each
* policy.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -480,14 +562,13 @@ int ckmc_get_data_alias_list(ckmc_alias_list_s** ppalias_list);
* in policy.
*
* @param[in] size The size of key strength to be created \n
- * @c 1024, @c 2048, and @c 4096 are supported.
+ * @c 1024, @c 2048, and @c 4096 are supported
* @param[in] private_key_alias The name of private key to be stored
* @param[in] public_key_alias The name of public key to be stored
* @param[in] policy_private_key The policy about how to store a private key securely
* @param[in] policy_public_key The policy about how to store a public key securely
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -503,6 +584,7 @@ int ckmc_get_data_alias_list(ckmc_alias_list_s** ppalias_list);
* @see ckmc_create_key_pair_ecdsa()
* @see ckmc_create_signature()
* @see ckmc_verify_signature()
+ * @see #ckmc_policy_s
*/
int ckmc_create_key_pair_rsa(const size_t size,
const char *private_key_alias,
@@ -514,7 +596,7 @@ int ckmc_create_key_pair_rsa(const size_t size,
* @brief Creates DSA private/public key pair and stores them inside key manager based on each
* policy.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -522,14 +604,13 @@ int ckmc_create_key_pair_rsa(const size_t size,
* in policy.
*
* @param[in] size The size of key strength to be created \n
- * @c 1024, @c 2048, @c 3072 and @c 4096 are supported.
+ * @c 1024, @c 2048, @c 3072 and @c 4096 are supported
* @param[in] private_key_alias The name of private key to be stored
* @param[in] public_key_alias The name of public key to be stored
* @param[in] policy_private_key The policy about how to store a private key securely
* @param[in] policy_public_key The policy about how to store a public key securely
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -545,6 +626,7 @@ int ckmc_create_key_pair_rsa(const size_t size,
* @see ckmc_create_key_pair_ecdsa()
* @see ckmc_create_signature()
* @see ckmc_verify_signature()
+ * @see #ckmc_policy_s
*/
int ckmc_create_key_pair_dsa(const size_t size,
const char *private_key_alias,
@@ -556,7 +638,7 @@ int ckmc_create_key_pair_dsa(const size_t size,
* @brief Creates ECDSA private/public key pair and stores them inside key manager based on each
* policy.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -569,8 +651,7 @@ int ckmc_create_key_pair_dsa(const size_t size,
* @param[in] policy_private_key The policy about how to store a private key securely
* @param[in] policy_public_key The policy about how to store a public key securely
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -587,6 +668,7 @@ int ckmc_create_key_pair_dsa(const size_t size,
* @see ckmc_create_signature()
* @see ckmc_verify_signature()
* @see #ckmc_ec_type_e
+ * @see #ckmc_policy_s
*/
int ckmc_create_key_pair_ecdsa(const ckmc_ec_type_e type,
const char *private_key_alias,
@@ -597,7 +679,7 @@ int ckmc_create_key_pair_ecdsa(const ckmc_ec_type_e type,
/**
* @brief Creates a signature on a given message using a private key and returns the signature.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -611,12 +693,11 @@ int ckmc_create_key_pair_ecdsa(const ckmc_ec_type_e type,
* @param[in] message The message that is signed with a private key
* @param[in] hash The hash algorithm used in creating signature
* @param[in] padding The RSA padding algorithm used in creating signature \n
- * It is used only when the signature algorithm is RSA.
+ * It is used only when the signature algorithm is RSA
* @param[out] ppsignature The pointer to a newly created signature \n
- * If an error occurs, @a *ppsignature will be null.
+ * If an error occurs, @a *ppsignature will be null
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -626,7 +707,7 @@ int ckmc_create_key_pair_ecdsa(const ckmc_ec_type_e type,
* @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist
* @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
* @retval #CKMC_ERROR_AUTHENTICATION_FAILED
- * Decryption failed because password is incorrect.
+ * Decryption failed because password is incorrect
*
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
@@ -634,6 +715,7 @@ int ckmc_create_key_pair_ecdsa(const ckmc_ec_type_e type,
* @see ckmc_create_key_pair_ecdsa()
* @see ckmc_verify_signature()
* @see ckmc_buffer_free()
+ * @see #ckmc_raw_buffer_s
* @see #ckmc_hash_algo_e
* @see #ckmc_rsa_padding_algo_e
*/
@@ -648,7 +730,7 @@ int ckmc_create_signature(const char *private_key_alias,
* @brief Verifies a given signature on a given message using a public key and returns the signature
* status.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -661,10 +743,9 @@ int ckmc_create_signature(const char *private_key_alias,
* @param[in] signature The signature that is verified with public key
* @param[in] hash The hash algorithm used in verifying signature
* @param[in] padding The RSA padding algorithm used in verifying signature \n
- * It is used only when the signature algorithm is RSA.
+ * It is used only when the signature algorithm is RSA
*
- * @return @c 0 on success and the signature is valid,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success and the signature is valid, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_VERIFICATION_FAILED The signature is invalid
@@ -675,13 +756,14 @@ int ckmc_create_signature(const char *private_key_alias,
* @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist
* @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
* @retval #CKMC_ERROR_AUTHENTICATION_FAILED
- * Decryption failed because password is incorrect.
+ * Decryption failed because password is incorrect
*
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
* @see ckmc_create_key_pair_rsa()
+ * @see ckmc_create_key_pair_dsa()
* @see ckmc_create_key_pair_ecdsa()
- * @see ckmc_verify_signature()
+ * @see #ckmc_raw_buffer_s
* @see #ckmc_hash_algo_e
* @see #ckmc_rsa_padding_algo_e
*/
@@ -695,7 +777,7 @@ int ckmc_verify_signature(const char *public_key_alias,
/**
* @brief Verifies a certificate chain and returns that chain.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -704,14 +786,13 @@ int ckmc_verify_signature(const char *public_key_alias,
* @remarks You must destroy the newly created @a ppcert_chain_list by calling
* ckmc_cert_list_all_free() if it is no longer needed.
*
- * @param[in] cert The certificate to be verified
- * @param[in] untrustedcerts The untrusted CA certificates to be used in verifying a certificate
+ * @param[in] cert The certificate to be verified
+ * @param[in] untrustedcerts The untrusted CA certificates to be used in verifying a certificate
* chain
* @param[out] ppcert_chain_list The pointer to a newly created certificate chain's handle \n
- * If an error occurs, @a *ppcert_chain_list will be null.
+ * If an error occurs, @a *ppcert_chain_list will be null
*
- * @return @c 0 on success and the signature is valid,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success and the signature is valid, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_VERIFICATION_FAILED The certificate chain is not valid
@@ -722,22 +803,24 @@ int ckmc_verify_signature(const char *public_key_alias,
* @retval #CKMC_ERROR_INVALID_FORMAT The format of certificate is not valid
* @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
* @retval #CKMC_ERROR_AUTHENTICATION_FAILED
- * Decryption failed because password is incorrect.
+ * Decryption failed because password is incorrect
*
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
* @see ckmc_get_cert_chain_with_alias())
* @see ckmc_cert_list_all_free()
+ * @see #ckmc_cert_list_s
*/
int ckmc_get_cert_chain(const ckmc_cert_s *cert,
const ckmc_cert_list_s *untrustedcerts,
ckmc_cert_list_s **ppcert_chain_list);
/**
+ * @deprecated Deprecated since 2.4. [Use ckmc_get_cert_chain() instead]
* @brief Verifies a certificate chain using an alias list of untrusted certificates and return that
* chain.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
@@ -745,15 +828,15 @@ int ckmc_get_cert_chain(const ckmc_cert_s *cert,
* storage.
* @remarks You must destroy the newly created @a ppcert_chain_list by calling
* ckmc_cert_list_all_free() if it is no longer needed.
+ * @remarks @a untrustedcerts shouldn't be protected with optional password.
*
- * @param[in] cert The certificate to be verified
- * @param[in] untrustedcerts The alias list of untrusted CA certificates stored in key manager
+ * @param[in] cert The certificate to be verified
+ * @param[in] untrustedcerts The alias list of untrusted CA certificates stored in key manager
* to be used in verifying a certificate chain
* @param[out] ppcert_chain_list The pointer to a newly created certificate chain's handle \n
- * If an error occurs, @a *ppcert_chain_list will be null.
+ * If an error occurs, @a *ppcert_chain_list will be null
*
- * @return @c 0 on success and the signature is valid,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success and the signature is valid, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_VERIFICATION_FAILED The certificate chain is not valid
@@ -766,32 +849,111 @@ int ckmc_get_cert_chain(const ckmc_cert_s *cert,
* @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
* @retval #CKMC_ERROR_AUTHENTICATION_FAILED
* Some certificates were encrypted with password and could not
- * be used.
+ * be used
*
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
* @see ckmc_get_cert_chain()
* @see ckmc_cert_list_all_free()
+ * @see #ckmc_cert_s
+ * @see #ckmc_alias_list_s
+ * @see #ckmc_cert_list_s
*/
int ckmc_get_cert_chain_with_alias(const ckmc_cert_s *cert,
const ckmc_alias_list_s *untrustedcerts,
ckmc_cert_list_s **ppcert_chain_list);
+/**
+ * @brief Verifies a certificate chain and returns that chain using user entered trusted and
+ * untrusted CA certificates.
+ *
+ * @since_tizen 2.4
+ * @privlevel public
+ * @privilege %http://tizen.org/privilege/keymanager
+ *
+ * @remarks If the trusted root certificates are provided as a user input, these certificates do not
+ * need to exist in the system's certificate storage.
+ * @remarks You must destroy the newly created @a ppcert_chain_list by calling
+ * ckmc_cert_list_all_free() if it is no longer needed.
+ *
+ * @param[in] cert The certificate to be verified
+ * @param[in] untrustedcerts The untrusted CA certificates to be used in verifying a
+ * certificate chain
+ * @param[in] trustedcerts The trusted CA certificates to be used in verifying a
+ * certificate chain
+ * @param[in] use_trustedsystemcerts The flag indicating the use of the trusted root certificates
+ * in the system's certificate storage
+ * @param[out] ppcert_chain_list The pointer to a newly created certificate chain's handle \n
+ * If an error occurs, @a *ppcert_chain_list will be null
+ *
+ * @return #CKMC_ERROR_NONE on success and the signature is valid, otherwise a negative error value
+ *
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_VERIFICATION_FAILED The certificate chain is not valid
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
+ * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged
+ * in)
+ * @retval #CKMC_ERROR_DB_ERROR Failed due to the error with unknown reason
+ * @retval #CKMC_ERROR_INVALID_FORMAT The format of certificate is not valid
+ * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
+ *
+ * @pre User is already logged in and the user key is already loaded into memory in plain text form.
+ *
+ * @see ckmc_cert_list_all_free()
+ * @see #ckmc_cert_s
+ * @see #ckmc_cert_list_s
+ */
+int ckmc_get_cert_chain_with_trustedcert(const ckmc_cert_s *cert,
+ const ckmc_cert_list_s *untrustedcerts,
+ const ckmc_cert_list_s *trustedcerts,
+ const bool use_trustedsystemcerts,
+ ckmc_cert_list_s **ppcert_chain_list);
+
+/**
+ * @brief Perform OCSP which checks certificate is whether revoked or not.
+ *
+ * @since_tizen 2.4
+ * @privlevel public
+ * @privilege %http://tizen.org/privilege/keymanager
+ *
+ * @param[in] pcert_chain_list Valid certificate chain to perform OCSP check
+ * @param[out] ocsp_status The pointer to status result of OCSP check
+ *
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
+ *
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
+ * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
+ * @retval #CKMC_ERROR_NOT_SUPPORTED Device needed to run API is not supported
+ *
+ * @pre User is already logged in and the user key is already loaded into memory in plain text form.
+ * @pre @a pcert_chain_list is created with ckmc_get_certificate_chain() or
+ * ckmc_get_certificate_chain_with_alias().
+ *
+ * @see ckmc_get_cert_chain()
+ * @see ckmc_get_cert_chain_with_alias()
+ * @see ckmc_get_cert_chain_with_trustedcert()
+ * @see ckmc_cert_list_all_free()
+ * @see #ckmc_cert_list_s
+ * @see #ckmc_ocsp_status_e
+ */
+int ckmc_ocsp_check(const ckmc_cert_list_s *pcert_chain_list, ckmc_ocsp_status_e *ocsp_status);
/**
- * @brief Allows another application to access client's application data
+ * @deprecated Deprecated since 2.4. [Use ckmc_set_permission() instead]
+ * @brief Allows another application to access client's application data.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
- * @remarks Data identified by @a alias should exist
+ * @remarks Data identified by @a alias should exist.
*
* @param[in] alias Data alias for which access will be granted
* @param[in] accessor Package id of the application that will gain access rights
* @param[in] granted Rights granted for @a accessor application
*
- * @return @c 0 on success, otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
@@ -804,24 +966,56 @@ int ckmc_get_cert_chain_with_alias(const ckmc_cert_s *cert,
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
* @see ckmc_deny_access()
+ * @see ckmc_set_permission()
+ * @see #ckmc_access_right_e
*/
int ckmc_allow_access(const char *alias, const char *accessor, ckmc_access_right_e granted);
+/**
+ * @brief Allows another application to access client's application data.
+ *
+ * @since_tizen 2.4
+ * @privlevel public
+ * @privilege %http://tizen.org/privilege/keymanager
+ *
+ * @remarks Data identified by @a alias should exist.
+ *
+ * @param[in] alias Data alias for which access will be granted
+ * @param[in] accessor Package id of the application that will gain access rights
+ * @param[in] permissions Mask of #ckmc_permission_e granted for @a accessor application \n
+ * Previous permission mask will be replaced with the new mask value
+ *
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
+ *
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
+ * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged
+ * in)
+ * @retval #CKMC_ERROR_DB_ERROR Failed due to the error with unknown reason
+ * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist
+ * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
+ *
+ * @pre User is already logged in and the user key is already loaded into memory in plain text form.
+ *
+ * @see #ckmc_permission_e
+ */
+int ckmc_set_permission(const char *alias, const char *accessor, int permissions);
/**
- * @brief Revokes another application's access to client's application data
+ * @deprecated Deprecated since 2.4. [Use ckmc_set_permission() instead]
+ * @brief Revokes another application's access to client's application data.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
* @privlevel public
* @privilege %http://tizen.org/privilege/keymanager
*
- * @remarks Data identified by @a alias should exist
- * @remarks Only access previously granted with ckmc_allow_access can be revoked.
+ * @remarks Data identified by @a alias should exist.
+ * @remarks Only access previously granted with ckmc_allow_access() can be revoked.
*
* @param[in] alias Data alias for which access will be revoked
* @param[in] accessor Package id of the application that will lose access rights
*
- * @return @c 0 on success, otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid or the @a accessor doesn't
@@ -835,9 +1029,44 @@ int ckmc_allow_access(const char *alias, const char *accessor, ckmc_access_right
* @pre User is already logged in and the user key is already loaded into memory in plain text form.
*
* @see ckmc_allow_access()
+ * @see ckmc_set_permission()
*/
int ckmc_deny_access(const char *alias, const char *accessor);
+/**
+ * @brief Removes a an entry (no matter of type) from the key manager.
+ *
+ * @since_tizen 2.4
+ * @privlevel public
+ * @privilege %http://tizen.org/privilege/keymanager
+ *
+ * @remarks To remove item, client must have remove permission to the specified item.
+ * @remarks The item owner can remove by default.
+ *
+ * @param[in] alias Item alias to be removed
+ *
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
+ *
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
+ * @retval #CKMC_ERROR_DB_LOCKED A user key is not loaded in memory (a user is not logged
+ * in)
+ * @retval #CKMC_ERROR_DB_ERROR Failed due to a database error
+ * @retval #CKMC_ERROR_DB_ALIAS_UNKNOWN Alias does not exist
+ * @retval #CKMC_ERROR_PERMISSION_DENIED Failed to access key manager
+ *
+ * @pre User is already logged in and the user key is already loaded into memory in plain text form.
+ *
+ * @see ckmc_save_key()
+ * @see ckmc_save_cert()
+ * @see ckmc_save_data()
+ * @see ckmc_save_pkcs12()
+ * @see ckmc_create_key_pair_rsa()
+ * @see ckmc_create_key_pair_dsa()
+ * @see ckmc_create_key_pair_ecdsa()
+ */
+int ckmc_remove_alias(const char *alias);
+
#ifdef __cplusplus
}
#endif
diff --git a/src/include/ckmc/ckmc-type.h b/src/include/ckmc/ckmc-type.h
index ef9cc7c..ad0100e 100644
--- a/src/include/ckmc/ckmc-type.h
+++ b/src/include/ckmc/ckmc-type.h
@@ -15,7 +15,7 @@
*
*
* @file ckmc-type.h
- * @version 1.0
+ * @version 1.2
* @brief Definitions of struct for the Key Manager's CAPI and their utility functions.
*/
@@ -23,7 +23,7 @@
#define __TIZEN_CORE_CKMC_TYPE_H
#include <stddef.h>
-#include <ckmc/ckmc-error.h>
+#include <stdbool.h>
#define KEY_MANAGER_CAPI __attribute__((visibility("default")))
@@ -38,18 +38,20 @@ extern "C" {
*/
/**
- * alias can be provided as an alias alone, or together with label - in this
- * case, separator " " (space bar) is used to separate label and alias.
+ * @brief Sperator between alias and label.
+ * @since_tizen 2.3
+ * @remarks Alias can be provided as an alias alone, or together with label - in this
+ * case, separator " " (space bar) is used to separate label and alias.
* @see key-manager_doc.h
*/
KEY_MANAGER_CAPI extern char const * const ckmc_label_name_separator;
/**
* @brief Enumeration for key types of key manager.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef enum __ckmc_key_type {
- CKMC_KEY_NONE = 0, /**< key type not specified */
+ CKMC_KEY_NONE = 0, /**< Key type not specified */
CKMC_KEY_RSA_PUBLIC, /**< RSA public key */
CKMC_KEY_RSA_PRIVATE, /**< RSA private key */
CKMC_KEY_ECDSA_PUBLIC, /**< ECDSA public key */
@@ -61,7 +63,7 @@ typedef enum __ckmc_key_type {
/**
* @brief Enumeration for data format.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef enum __ckmc_data_format {
CKMC_FORM_DER_BASE64 = 0, /**< DER format base64 encoded data */
@@ -72,7 +74,7 @@ typedef enum __ckmc_data_format {
/**
* @brief Enumeration for elliptic curve.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef enum __ckmc_ec_type {
CKMC_EC_PRIME192V1 = 0, /**< Elliptic curve domain "secp192r1" listed in "SEC 2" recommended
@@ -84,7 +86,7 @@ typedef enum __ckmc_ec_type {
/**
* @brief Enumeration for hash algorithm.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef enum __ckmc_hash_algo {
CKMC_HASH_NONE = 0, /**< No Hash Algorithm */
@@ -96,7 +98,7 @@ typedef enum __ckmc_hash_algo {
/**
* @brief Enumeration for RSA padding algorithm.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef enum __ckmc_rsa_padding_algo {
CKMC_NONE_PADDING = 0, /**< No Padding */
@@ -105,17 +107,28 @@ typedef enum __ckmc_rsa_padding_algo {
} ckmc_rsa_padding_algo_e;
/**
+ * @deprecated Deprecated since 2.4. [Use ckmc_permission_e() instead]
* @brief Enumeration for database access rights.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef enum __ckmc_access_right{
- CKMC_AR_READ = 0, /**< access right for read*/
- CKMC_AR_READ_REMOVE /**< access right for read and remove*/
+ CKMC_AR_READ = 0, /**< Access right for read*/
+ CKMC_AR_READ_REMOVE /**< Access right for read and remove*/
} ckmc_access_right_e;
/**
+ * @brief Enumeration for permissions to access/modify alias.
+ * @since_tizen 2.4
+ */
+typedef enum __ckmc_permission{
+ CKMC_PERMISSION_NONE = 0x00, /**< Clear permissions */
+ CKMC_PERMISSION_READ = 0x01, /**< Eead allowed */
+ CKMC_PERMISSION_REMOVE = 0x02 /**< Remove allowed */
+} ckmc_permission_e;
+
+/**
* @brief the structure for binary buffer used in key manager CAPI.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef struct __ckmc_raw_buff {
unsigned char* data; /**< Byte array containing binary data */
@@ -124,7 +137,7 @@ typedef struct __ckmc_raw_buff {
/**
* @brief The structure for a policy for storing key/certificate/binary data.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef struct __ckmc_policy {
char* password; /**< Byte array used to encrypt data inside CKM. If it is not null, the data
@@ -135,7 +148,7 @@ typedef struct __ckmc_policy {
/**
* @brief The structure for key used in key manager CAPI.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef struct __ckmc_key {
unsigned char* raw_key; /**< Byte array of key. raw_key may be encrypted with password */
@@ -146,7 +159,7 @@ typedef struct __ckmc_key {
/**
* @brief The structure for certificate used in key manager CAPI.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef struct __ckmc_cert {
unsigned char* raw_cert; /**< Byte array of certificate */
@@ -156,7 +169,7 @@ typedef struct __ckmc_cert {
/**
* @brief The structure for linked list of alias.
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*/
typedef struct __ckmc_alias_list {
char *alias; /**< The name of key, certificate or data stored in key manager */
@@ -164,35 +177,59 @@ typedef struct __ckmc_alias_list {
} ckmc_alias_list_s;
/**
- * @brief The structure for linked list of ckmc_cert_s
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @brief The structure for linked list of #ckmc_cert_s.
+ * @since_tizen 2.3
*/
typedef struct __ckmc_cert_list {
- ckmc_cert_s *cert; /**< The pointer of ckmc_cert_s */
- struct __ckmc_cert_list *next; /**< The pointer pointing to the next ckmc_cert_list_s */
+ ckmc_cert_s *cert; /**< The pointer of #ckmc_cert_s */
+ struct __ckmc_cert_list *next; /**< The pointer pointing to the next #ckmc_cert_list_s */
} ckmc_cert_list_s;
+/**
+ * @brief Enumeration for OCSP status.
+ * @since_tizen 2.4
+ */
+typedef enum __ckmc_ocsp_status {
+ CKMC_OCSP_STATUS_GOOD = 0, /**< OCSP status is good */
+ CKMC_OCSP_STATUS_REVOKED, /**< The certificate is revoked */
+ CKMC_OCSP_STATUS_UNKNOWN, /**< Unknown error */
+ CKMC_OCSP_ERROR_UNSUPPORTED, /**< The certificate does not provide OCSP extension */
+ CKMC_OCSP_ERROR_INVALID_URL, /**< The invalid URL in certificate OCSP extension */
+ CKMC_OCSP_ERROR_INVALID_RESPONSE, /**< The invalid response from OCSP server */
+ CKMC_OCSP_ERROR_REMOTE, /**< OCSP remote server error */
+ CKMC_OCSP_ERROR_NET, /**< Network connection error */
+ CKMC_OCSP_ERROR_INTERNAL /**< OpenSSL API error */
+} ckmc_ocsp_status_e;
/**
- * @internal
- * @brief Creates a new @a ckmc_key_s handle and returns it.
+ * @brief The structure for PKCS12 used in key manager CAPI.
+ * @since_tizen 2.4
+ */
+typedef struct __ckmc_pkcs12 {
+ ckmc_key_s *priv_key; /**< The private key, may be null */
+ ckmc_cert_s *cert; /**< The certificate, may be null */
+ ckmc_cert_list_s *ca_chain; /**< The chain certificate list, may be null */
+} ckmc_pkcs12_s;
+
+
+/**
+ * @brief Creates a new #ckmc_key_s handle and returns it.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.4
*
- * @remarks You must destroy the newly created @a ckmc_key_s by calling ckmc_key_free() if it is no
- * longer needed.
+ * @remarks You must destroy the newly created @a ppkey by calling ckmc_key_free()
+ * if it is no longer needed.
*
- * @param[in] raw_key The byte array of key \n
- * @a raw_key may be encrypted with password.
+ * @param[in] raw_key The byte array of key @a raw_key may be encrypted with password
* @param[in] key_size The byte size of @a raw_key
* @param[in] key_type The @a raw_key's type
* @param[in] password The byte array used to decrypt @a raw_key inside key manager \n
- * If @a raw_key is not encrypted, @a password can be null.
- * @param[out] ppkey The pointer to a newly created @a ckmc_key_s handle
+ * If @a raw_key is not encrypted, @a password can be null
+ * @param[out] ppkey The pointer to a newly created #ckmc_key_s handle
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
+ * @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
* @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory
*
@@ -202,75 +239,74 @@ typedef struct __ckmc_cert_list {
int ckmc_key_new(unsigned char *raw_key,
size_t key_size,
ckmc_key_type_e key_type,
- char *password, ckmc_key_s **ppkey);
+ char *password,
+ ckmc_key_s **ppkey);
/**
- * @brief Destroys the @a ckmc_key_s handle and releases all its resources.
+ * @brief Destroys the #ckmc_key_s handle and releases all its resources.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*
- * @param[in] key The @a ckmc_key_s handle to destroy
+ * @param[in] key The #ckmc_key_s handle to destroy
*
*/
void ckmc_key_free(ckmc_key_s *key);
/**
- * @internal
- * @brief Creates a new @a ckmc_raw_buffer_s handle and returns it.
+ * @brief Creates a new #ckmc_raw_buffer_s handle and returns it.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.4
*
- * @remarks You must destroy the newly created @a ckmc_raw_buffer_s by calling ckmc_buffer_free() if
- * it is no longer needed.
+ * @remarks You must destroy the newly created @a ppbuffer by calling ckmc_buffer_free()
+ * if it is no longer needed.
*
* @param[in] data The byte array of buffer
* @param[in] size The byte size of buffer
- * @param[out] ppbuffer The pointer to a newly created @a ckmc_buffer_s handle
+ * @param[out] ppbuffer The pointer to a newly created #ckmc_buffer_s handle
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
+ * @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
* @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory
*
* @see ckmc_buffer_free()
* @see #ckmc_raw_buffer_s
*/
-int ckmc_buffer_new(unsigned char *data, size_t size,ckmc_raw_buffer_s **ppbuffer);
+int ckmc_buffer_new(unsigned char *data, size_t size, ckmc_raw_buffer_s **ppbuffer);
/**
- * @brief Destroys the @a ckmc_raw_buffer_s handle and releases all its resources.
+ * @brief Destroys the #ckmc_raw_buffer_s handle and releases all its resources.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*
- * @param[in] buffer The @a ckmc_raw_buffer_s handle to destroy
+ * @param[in] buffer The #ckmc_raw_buffer_s structure to destroy
*
*/
void ckmc_buffer_free(ckmc_raw_buffer_s *buffer);
/**
- * @internal
- * @brief Creates a new @a ckmc_cert_s handle and returns it.
+ * @brief Creates a new #ckmc_cert_s handle and returns it.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.4
*
- * @remarks You must destroy the newly created @a ckmc_cert_s by calling ckmc_cert_free() if it is
- * no longer needed.
+ * @remarks You must destroy the newly created @a ppcert by calling ckmc_cert_free()
+ * if it is no longer needed.
*
* @param[in] raw_cert The byte array of certificate
* @param[in] cert_size The byte size of raw_cert
* @param[in] data_format The encoding format of raw_cert
- * @param[out] ppcert The pointer to a newly created @a ckmc_cert_s handle
+ * @param[out] ppcert The pointer to a newly created #ckmc_cert_s handle
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
+ * @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
* @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory
*
* @see ckmc_cert_free()
* @see ckmc_load_cert_from_file()
- * @see ckmc_load_from_pkcs12_file()
+ * @see #ckmc_data_format_e
* @see #ckmc_cert_s
*/
int ckmc_cert_new(unsigned char *raw_cert,
@@ -279,31 +315,31 @@ int ckmc_cert_new(unsigned char *raw_cert,
ckmc_cert_s **ppcert);
/**
- * @brief Destroys the @a ckmc_cert handle and releases all its resources.
+ * @brief Destroys the #ckmc_cert handle and releases all its resources.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*
- * @param[in] cert The @a ckmc_cert_s handle to destroy
+ * @param[in] cert The #ckmc_cert_s handle to destroy
*
* @see ckmc_load_cert_from_file()
* @see ckmc_load_from_pkcs12_file()
+ * @see #ckmc_cert_s
*/
void ckmc_cert_free(ckmc_cert_s *cert);
/**
- * @brief Creates a new @a ckmc_cert_s handle from a given file and returns it.
+ * @brief Creates a new #ckmc_cert_s handle from a given file and returns it.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*
- * @remarks You must destroy the newly created @a ckmc_cert_s by calling ckmc_cert_free() if it is
- * no longer needed.
+ * @remarks You must destroy the newly created @a cert by calling ckmc_cert_free()
+ * if it is no longer needed.
*
* @param[in] file_path The path of certificate file to be loaded \n
- * The only DER or PEM encoded certificate file is supported.
- * @param[out] cert The pointer of newly created @a ckmc_cert_s handle
+ * The only DER or PEM encoded certificate file is supported
+ * @param[out] cert The pointer of newly created #ckmc_cert_s handle
*
- * @return #CKMC_ERROR_NONE on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory space
@@ -311,39 +347,75 @@ void ckmc_cert_free(ckmc_cert_s *cert);
* @retval #CKMC_ERROR_FILE_ACCESS_DENIED Provided file does not exist or cannot be accessed
*
* @see ckmc_cert_free()
- * @see ckmc_load_from_pkcs12_file()
* @see #ckmc_cert_s
*/
int ckmc_load_cert_from_file(const char *file_path, ckmc_cert_s **cert);
/**
- * @brief Creates a new @a ckmc_key_s(private key), @a ckmc_cert_s(certificate), and
- * @a ckmc_cert_list_s(CA certificates) handle from a given PKCS#12 file and returns them.
+ * @brief Creates a new #ckmc_pkcs12_s handle and returns it.
+ *
+ * @since_tizen 2.4
+ *
+ * @remarks You must destroy the newly created @a pkcs12_bundle by calling ckmc_pkcs12_free()
+ * if it is no longer needed.
+ * @remarks On success, @a private_key, @a cert and @a ca_cert_list ownership is transferred
+ * into newly returned #ckmc_pkcs12_s.
+ *
+ * @param[in] private_key #ckmc_key_s handle to the private key (optional)
+ * @param[in] cert #ckmc_cert_s handle to the certificate (optional)
+ * @param[in] ca_cert_list #ckmc_cert_list_s list of chain certificate handles (optional)
+ * @param[out] pkcs12_bundle The pointer to a newly created #ckmc_pkcs12_s handle
+ *
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
+ *
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid or @a private_key, @a cert
+ * and @a ca_cert_list all are null
+ * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory
+ *
+ * @see ckmc_pkcs12_free()
+ * @see ckmc_load_from_pkcs12_file()
+ * @see ckmc_pkcs12_load()
+ * @see #ckmc_key_s
+ * @see #ckmc_cert_s
+ * @see #ckmc_cert_list_s
+ * @see #ckmc_pkcs12_s
+ */
+int ckmc_pkcs12_new(ckmc_key_s *private_key,
+ ckmc_cert_s *cert,
+ ckmc_cert_list_s *ca_cert_list,
+ ckmc_pkcs12_s **pkcs12_bundle);
+
+/**
+ * @deprecated Deprecated since 2.4. [Use ckmc_pkcs12_load() instead]
+ * @brief Creates a new @a private_key, @a cert and @a ca_cert_list handle from a given
+ * PKCS12 file and returns them.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*
- * @remarks You must destroy the newly created @a ckmc_key_s, @a ckmc_cert_s, and
- * @a ckmc_cert_list_s by calling ckmc_key_free(), ckmc_cert_free(), and
+ * @remarks You must destroy the newly created @a private_key, @a cert and
+ * @a ca_cert_list by calling ckmc_key_free(), ckmc_cert_free() and
* ckmc_cert_list_all_free() if they are no longer needed.
*
* @param[in] file_path The path of PKCS12 file to be loaded
* @param[in] passphrase The passphrase used to decrypt the PCKS12 file \n
- * If PKCS12 file is not encrypted, passphrase can be null.
- * @param[out] private_key The pointer of newly created @a ckmc_key_s handle for a private key
- * @param[out] cert The pointer of newly created @a ckmc_cert_s handle for a certificate \n
- * It is null if the PKCS12 file does not contain a certificate.
- * @param[out] ca_cert_list The pointer of newly created @a ckmc_cert_list_s handle for CA
+ * If PKCS12 file is not encrypted, passphrase can be null
+ * @param[out] private_key The pointer of newly created #ckmc_key_s handle for a private key
+ * @param[out] cert The pointer of newly created #ckmc_cert_s handle for a certificate \n
+ * It is null if the PKCS12 file does not contain a certificate
+ * @param[out] ca_cert_list The pointer of newly created #ckmc_cert_list_s handle for CA
* certificates \n
- * It is null if the PKCS12 file does not contain CA certificates.
+ * It is null if the PKCS12 file does not contain CA certificates
*
- * @return #CKMC_ERROR_NONE on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
* @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory space
* @retval #CKMC_ERROR_INVALID_FORMAT Invalid PKCS12 file format
* @retval #CKMC_ERROR_FILE_ACCESS_DENIED Provided file does not exist or cannot be accessed
*
+ * @see ckmc_pkcs12_new()
+ * @see ckmc_pkcs12_load()
* @see ckmc_key_free()
* @see ckmc_cert_free()
* @see ckmc_cert_list_all_free()
@@ -353,27 +425,67 @@ int ckmc_load_cert_from_file(const char *file_path, ckmc_cert_s **cert);
*/
int ckmc_load_from_pkcs12_file(const char *file_path,
const char *passphrase,
- ckmc_key_s **private_key, ckmc_cert_s **cert,
+ ckmc_key_s **private_key,
+ ckmc_cert_s **cert,
ckmc_cert_list_s **ca_cert_list);
/**
- * @internal
- * @brief Creates a new @a ckmc_alias_list_s handle and returns it.
- * The alias pointer in the returned @a ckmc_alias_list_s handle points to the provided
+ * @brief Creates a new #ckmc_pkcs12_s handle from a given PKCS#12 file and returns it.
+ *
+ * @since_tizen 2.4
+ *
+ * @remarks You must destroy the newly created @a pkcs12_bundle by calling ckmc_pkcs12_free() if
+ * they are no longer needed.
+ *
+ * @param[in] file_path The path of PKCS12 file to be loaded
+ * @param[in] passphrase The passphrase used to decrypt the PCKS12 file \n
+ * If PKCS12 file is not encrypted, passphrase can be null
+ * @param[out] pkcs12_bundle The pointer of newly created #ckmc_cert_list_s handle for CA
+ * certificates \n
+ * It is null if the PKCS12 file does not contain CA certificates
+ *
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
+ *
+ * @retval #CKMC_ERROR_NONE Successful
+ * @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory space
+ * @retval #CKMC_ERROR_INVALID_FORMAT Invalid PKCS12 file format
+ * @retval #CKMC_ERROR_FILE_ACCESS_DENIED Provided file does not exist or cannot be accessed
+ *
+ * @see ckmc_pkcs12_free()
+ * @see #ckmc_pkcs12_s
+ */
+int ckmc_pkcs12_load(const char *file_path,
+ const char *passphrase,
+ ckmc_pkcs12_s **pkcs12_bundle);
+
+/**
+ * @brief Destroys the #ckmc_pkcs12_s handle and releases all its resources.
+ *
+ * @since_tizen 2.4
+ *
+ * @param[in] pkcs12 The #ckmc_pkcs12_s handle to destroy
+ *
+ * @see ckmc_pkcs12_new()
+ * @see ckmc_pkcs12_load()
+ */
+void ckmc_pkcs12_free(ckmc_pkcs12_s *pkcs12);
+
+/**
+ * @brief Creates a new #ckmc_alias_list_s handle and returns it.
+ * The alias pointer in the returned #ckmc_alias_list_s handle points to the provided
* characters and next is null.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.4
*
- * @remarks You must destroy the newly created @a ckmc_alias_list_s
- * by calling ckmc_alias_list_free() or ckmc_alias_list_all_free() if it is no longer
- * needed.
+ * @remarks You must destroy the newly created @a ppalias_list by calling ckmc_alias_list_free()
+ * or ckmc_alias_list_all_free() if it is no longer needed.
*
- * @param[in] alias The first item to be set in the newly created @a ckmc_alias_list_s
- * @param[out] ppalias_list The pointer to a newly created @a ckmc_alias_list_s handle
+ * @param[in] alias The first item to be set in the newly created #ckmc_alias_list_s
+ * @param[out] ppalias_list The pointer to a newly created #ckmc_alias_list_s handle
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
+ * @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
* @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory
*
@@ -383,21 +495,20 @@ int ckmc_load_from_pkcs12_file(const char *file_path,
int ckmc_alias_list_new(char *alias, ckmc_alias_list_s **ppalias_list);
/**
- * @internal
- * @brief Creates a new @a ckmc_alias_list_s handle, adds it to a previous @a ckmc_alias_list_s and
- * returns it. The alias pointer in the returned @a ckmc_alias_list_s handle points to the
+ * @brief Creates a new #ckmc_alias_list_s handle, adds it to a @a previous and returns it.
+ * The alias pointer in the returned #ckmc_alias_list_s handle points to the
* provided characters and next is null.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.4
*
- * @param[in] previous The last @a ckmc_alias_list_s handle to which a newly created
- * @a ckmc_alias_list_s is added
- * @param[in] alias The item to be set in the newly created @a ckmc_alias_list_s
- * @param[out] pplast The pointer to a newly created and added @a ckmc_alias_list_s handle
+ * @param[in] previous The last #ckmc_alias_list_s handle to which a newly created
+ * #ckmc_alias_list_s is added
+ * @param[in] alias The item to be set in the newly created #ckmc_alias_list_s
+ * @param[out] pplast The pointer to a newly created and added #ckmc_alias_list_s handle
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
+ * @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
* @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory
*
@@ -409,15 +520,14 @@ int ckmc_alias_list_add(ckmc_alias_list_s *previous,
ckmc_alias_list_s **pplast);
/**
- * @internal
- * @brief Destroys the @a ckmc_alias_list_s handle and releases resources of @a ckmc_alias_list_s
- * from the provided first handle cascadingly.
+ * @brief Destroys the #ckmc_alias_list_s handle and releases resources from the provided
+ * @a first handle cascadingly.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.4
*
- * @remarks It does not destroy an alias itself in @a ckmc_alias_list_s.
+ * @remarks It does not destroy an alias itself in #ckmc_alias_list_s.
*
- * @param[in] first The first @a ckmc_alias_list_s handle to destroy
+ * @param[in] first The first #ckmc_alias_list_s handle to destroy
*
* @see ckmc_alias_list_all_free()
* @see #ckmc_alias_list_s
@@ -425,36 +535,36 @@ int ckmc_alias_list_add(ckmc_alias_list_s *previous,
void ckmc_alias_list_free(ckmc_alias_list_s *first);
/**
- * @brief Destroys the @a ckmc_alias_list_s handle and releases all its resources from the provided
- * first handle cascadingly.
+ * @brief Destroys the #ckmc_alias_list_s handle and releases all its resources from the provided
+ * @a first handle cascadingly.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.4
*
- * @remarks It also destroys the alias in @a ckmc_alias_list_s.
+ * @remarks It also destroys the alias in #ckmc_alias_list_s.
*
- * @param[in] first The first @a ckmc_alias_list_s handle to destroy
+ * @param[in] first The first #ckmc_alias_list_s handle to destroy
*
+ * @see ckmc_alias_list_free()
* @see #ckmc_alias_list_s
*/
void ckmc_alias_list_all_free(ckmc_alias_list_s *first);
/**
- * @internal
- * @brief Creates a new @a ckmc_cert_list_s handle and returns it.
- * The cert pointer in the returned @a ckmc_cert_list_s handle points to the provided
- * @a ckmc_cert_s and next is null.
+ * @brief Creates a new #ckmc_cert_list_s handle and returns it.
+ * The cert pointer in the returned #ckmc_cert_list_s handle points to the provided
+ * #ckmc_cert_s and next is null.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.4
*
- * @remarks You must destroy the newly created @a ckmc_cert_list_s by calling ckmc_cert_list_free()
+ * @remarks You must destroy the newly created @a ppalias_list by calling ckmc_cert_list_free()
* or ckmc_cert_list_all_free() if it is no longer needed.
*
- * @param[in] cert The first item to be set in the newly created @a ckmc_cert_list_s
- * @param[out] ppalias_list The pointer to a newly created @a ckmc_alias_list_s handle
+ * @param[in] cert The first item to be set in the newly created #ckmc_cert_list_s
+ * @param[out] ppalias_list The pointer to a newly created #ckmc_alias_list_s handle
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
+ * @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
* @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory
*
@@ -464,21 +574,20 @@ void ckmc_alias_list_all_free(ckmc_alias_list_s *first);
int ckmc_cert_list_new(ckmc_cert_s *cert, ckmc_cert_list_s **ppalias_list);
/**
- * @internal
- * @brief Creates a new @a ckmc_cert_list_s handle, adds it to a previous @a ckmc_cert_list_s and
- * returns it. The cert pointer in the returned @a ckmc_alias_list_s handle points to the
- * provided @a ckmc_cert_s and next is null.
+ * @brief Creates a new #ckmc_cert_list_s handle, adds it to a previous #ckmc_cert_list_s and
+ * returns it. The cert pointer in the returned #ckmc_alias_list_s handle points to the
+ * provided #ckmc_cert_s and next is null.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.4
*
- * @param[in] previous The last @a ckmc_cert_list_s handle to which a newly created
- * @a ckmc_cert_list_s is added
- * @param[in] cert The item to be set in the newly created @a ckmc_cert_list_s
- * @param[out] pplast The pointer to a newly created and added @a ckmc_alias_list_s handle
+ * @param[in] previous The last #ckmc_cert_list_s handle to which a newly created
+ * #ckmc_cert_list_s is added
+ * @param[in] cert The item to be set in the newly created #ckmc_cert_list_s
+ * @param[out] pplast The pointer to a newly created and added #ckmc_alias_list_s handle
*
- * @return @c 0 on success,
- * otherwise a negative error value
+ * @return #CKMC_ERROR_NONE on success, otherwise a negative error value
*
+ * @retval #CKMC_ERROR_NONE Successful
* @retval #CKMC_ERROR_INVALID_PARAMETER Input parameter is invalid
* @retval #CKMC_ERROR_OUT_OF_MEMORY Not enough memory
*
@@ -488,15 +597,14 @@ int ckmc_cert_list_new(ckmc_cert_s *cert, ckmc_cert_list_s **ppalias_list);
int ckmc_cert_list_add(ckmc_cert_list_s *previous, ckmc_cert_s *cert, ckmc_cert_list_s **pplast);
/**
- * @internal
- * @brief Destroys the @a ckmc_cert_list_s handle and releases resources of @a ckmc_cert_list_s
- * from the provided first handle cascadingly.
+ * @brief Destroys the #ckmc_cert_list_s handle and releases resources from the provided
+ * @a first handle cascadingly.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.4
*
- * @remarks It does not destroy @a ckmc_cert_s itself in @a ckmc_cert_list_s.
+ * @remarks It does not destroy #ckmc_cert_s itself in #ckmc_cert_list_s.
*
- * @param[in] first The first @a ckmc_cert_list_s handle to destroy
+ * @param[in] first The first #ckmc_cert_list_s handle to destroy
*
* @see ckmc_cert_list_all_free()
* @see #ckmc_cert_list_s
@@ -504,15 +612,16 @@ int ckmc_cert_list_add(ckmc_cert_list_s *previous, ckmc_cert_s *cert, ckmc_cert_
void ckmc_cert_list_free(ckmc_cert_list_s *first);
/**
- * @brief Destroys the @a ckmc_cert_list_s handle and releases all its resources from the provided
- * first handle cascadingly.
+ * @brief Destroys the #ckmc_cert_list_s handle and releases all its resources from the provided
+ * @a first handle cascadingly.
*
- * @since_tizen @if MOBILE 2.3 @elseif WEARABLE 2.3.1 @endif
+ * @since_tizen 2.3
*
- * @remarks It also destroys @a ckmc_cert_s in ckmc_cert_list_s.
+ * @remarks It also destroys #ckmc_cert_s in #ckmc_cert_list_s.
*
- * @param[in] first The first @a ckmc_cert_list_s handle to destroy
+ * @param[in] first The first #ckmc_cert_list_s handle to destroy
*
+ * @see ckmc_cert_list_free()
* @see #ckmc_cert_list_s
*/
void ckmc_cert_list_all_free(ckmc_cert_list_s *first);
diff --git a/src/listener/CMakeLists.txt b/src/listener/CMakeLists.txt
deleted file mode 100644
index 25be929..0000000
--- a/src/listener/CMakeLists.txt
+++ /dev/null
@@ -1,33 +0,0 @@
-PKG_CHECK_MODULES(LISTENER_DEP
- REQUIRED
- dlog
- glib-2.0
- capi-appfw-package-manager
- libsystemd-daemon
- )
-
-SET(LISTENER_SOURCES ${PROJECT_SOURCE_DIR}/src/listener/listener-daemon.cpp)
-
-# fPIE flag is added for ASLR
-SET_SOURCE_FILES_PROPERTIES(
- ${LISTENER_SOURCES}
- PROPERTIES
- COMPILE_FLAGS "-D_GNU_SOURCE -fvisibility=hidden -fPIE")
-
-INCLUDE_DIRECTORIES(
- ${PROJECT_SOURCE_DIR}/src/include
- ${LISTENER_DEP_INCLUDE_DIRS}
- )
-
-ADD_EXECUTABLE(${TARGET_LISTENER} ${LISTENER_SOURCES})
-
-# pie flag is added for ASLR
-TARGET_LINK_LIBRARIES(
- ${TARGET_LISTENER}
- ${LISTENER_DEP_LIBRARIES}
- ${TARGET_KEY_MANAGER_CLIENT}
- ${TARGET_KEY_MANAGER_CONTROL_CLIENT}
- -pie
- )
-
-INSTALL(TARGETS ${TARGET_LISTENER} DESTINATION bin)
diff --git a/src/listener/listener-daemon.cpp b/src/listener/listener-daemon.cpp
deleted file mode 100644
index b86ffcf..0000000
--- a/src/listener/listener-daemon.cpp
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file listener-daemon.cpp
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 1.0
- * @brief Listener daemon handle some events for key-manager
- */
-#include <fcntl.h>
-#include <unistd.h>
-
-#include <glib.h>
-#include <package_manager.h>
-#include <ckm/ckm-control.h>
-#include <ckm/ckm-type.h>
-#include <dlog.h>
-
-#define CKM_LISTENER_TAG "CKM_LISTENER"
-
-namespace {
-const char* const CKM_LOCK = "/var/run/key-manager.pid";
-};
-
-bool isCkmRunning()
-{
- int lock = TEMP_FAILURE_RETRY(open(CKM_LOCK, O_RDWR));
- if (lock == -1)
- return false;
-
- int ret = lockf(lock, F_TEST, 0);
- close(lock);
-
- // if lock test fails because of an error assume ckm is running
- return (0 != ret);
-}
-
-void packageUninstalledEventCallback(
- const char *type,
- const char *package,
- package_manager_event_type_e eventType,
- package_manager_event_state_e eventState,
- int progress,
- package_manager_error_e error,
- void *userData)
-{
- (void) type;
- (void) progress;
- (void) error;
- (void) userData;
-
- if (eventType != PACKAGE_MANAGER_EVENT_TYPE_UNINSTALL ||
- eventState != PACKAGE_MANAGER_EVENT_STATE_STARTED ||
- package == NULL) {
- SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "PackageUninstalled Callback error of Invalid Param");
- }
- else {
- SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "PackageUninstalled Callback. Uninstalation of: %s", package);
- auto control = CKM::Control::create();
- int ret = 0;
- if ( CKM_API_SUCCESS != (ret = control->removeApplicationData(std::string(package))) ) {
- SLOG(LOG_ERROR, CKM_LISTENER_TAG, "CKM::Control::removeApplicationData error. ret : %d\n", ret);
- }
- else {
- SLOG(LOG_DEBUG, CKM_LISTENER_TAG,
- "CKM::Control::removeApplicationData success. Uninstallation package : %s\n", package);
- }
- }
-}
-
-int main(void)
-{
- SLOG(LOG_DEBUG, CKM_LISTENER_TAG, "%s", "Start!");
-
- // Let's start to listen
- GMainLoop *main_loop = g_main_loop_new(NULL, FALSE);
-
- package_manager_h manager;
-
- while (true) {
- if (PACKAGE_MANAGER_ERROR_NONE != package_manager_create(&manager)) {
- SLOG(LOG_ERROR, CKM_LISTENER_TAG, "%s", "Error in create package_manager");
-
- sleep(5);
- continue;
- }
-
- if (PACKAGE_MANAGER_ERROR_NONE != package_manager_set_event_cb(manager, packageUninstalledEventCallback, NULL)) {
- SLOG(LOG_ERROR, CKM_LISTENER_TAG, "%s", "Error in package_manager_set_event_cb");
- package_manager_destroy(manager);
-
- sleep(5);
- continue;
- }
-
- break;
- }
-
- g_main_loop_run(main_loop);
-
- package_manager_destroy(manager);
-
- return 0;
-}
-
diff --git a/src/manager/CMakeLists.txt b/src/manager/CMakeLists.txt
index a50d7b7..1e92e40 100644
--- a/src/manager/CMakeLists.txt
+++ b/src/manager/CMakeLists.txt
@@ -1,8 +1,6 @@
PKG_CHECK_MODULES(COMMON_DEP
REQUIRED
dlog
- openssl
- libsmack
libcrypto
libsystemd-journal
)
@@ -20,6 +18,7 @@ SET(COMMON_SOURCES
${COMMON_PATH}/common/certificate-impl.cpp
${COMMON_PATH}/common/key-impl.cpp
${COMMON_PATH}/common/pkcs12-impl.cpp
+ ${COMMON_PATH}/common/client-info-impl.cpp
${COMMON_PATH}/common/log-setup.cpp
${COMMON_PATH}/dpl/log/src/abstract_log_provider.cpp
${COMMON_PATH}/dpl/log/src/dlog_log_provider.cpp
@@ -35,17 +34,12 @@ SET(COMMON_SOURCES
${COMMON_PATH}/dpl/core/src/errno_string.cpp
)
-INCLUDE_DIRECTORIES(SYSTEM
- ${COMMON_DEP_INCLUDE_DIRS}
- )
-
INCLUDE_DIRECTORIES(
+ SYSTEM
+ ${COMMON_DEP_INCLUDE_DIRS}
${COMMON_PATH}/common
${COMMON_PATH}/dpl/core/include
${COMMON_PATH}/dpl/log/include
- ${COMMON_PATH}/dpl/db/include
- ${COMMON_PATH}/sqlcipher
- ${COMMON_PATH}/service
)
ADD_LIBRARY(${TARGET_KEY_MANAGER_COMMON} SHARED ${COMMON_SOURCES})
@@ -62,8 +56,4 @@ TARGET_LINK_LIBRARIES(${TARGET_KEY_MANAGER_COMMON}
${COMMON_DEP_LIBRARIES}
)
-##########################################################################
-
INSTALL(TARGETS ${TARGET_KEY_MANAGER_COMMON} DESTINATION ${LIB_INSTALL_DIR})
-
-
diff --git a/src/manager/client-capi/ckmc-control.cpp b/src/manager/client-capi/ckmc-control.cpp
index 997cf02..5caf087 100644
--- a/src/manager/client-capi/ckmc-control.cpp
+++ b/src/manager/client-capi/ckmc-control.cpp
@@ -14,7 +14,7 @@
* limitations under the License
*
*
- * @file ckmc-control.h
+ * @file ckmc-control.cpp
* @author Yuseok Jeon(yuseok.jeon@samsung.com)
* @version 1.0
* @brief provides conversion methods to C from C++ for key-manager control functions.
@@ -34,20 +34,13 @@ CKM::Password _toPasswordStr(const char *str)
return CKM::Password(str);
}
-int _ckmc_set_permission_by_adm(uid_t user, const char *alias, const char *accessor, int permissions)
-{
- if (!alias || !accessor)
- return CKMC_ERROR_INVALID_PARAMETER;
-
- auto control = CKM::Control::create();
- return to_ckmc_error(control->setPermission(user, alias, accessor, permissions));
-}
-
KEY_MANAGER_CAPI
int ckmc_unlock_user_key(uid_t user, const char *password)
{
auto control = CKM::Control::create();
- int ret = control->unlockUserKey(user, _toPasswordStr(password));
+ int ret = control->unlockUserKey(
+ CKM::ClientInfo(user),
+ _toPasswordStr(password));
return to_ckmc_error(ret);
}
@@ -55,7 +48,7 @@ KEY_MANAGER_CAPI
int ckmc_lock_user_key(uid_t user)
{
auto control = CKM::Control::create();
- int ret = control->lockUserKey(user);
+ int ret = control->lockUserKey(CKM::ClientInfo(user));
return to_ckmc_error(ret);
}
@@ -63,7 +56,7 @@ KEY_MANAGER_CAPI
int ckmc_remove_user_data(uid_t user)
{
auto control = CKM::Control::create();
- int ret = control->removeUserData(user);
+ int ret = control->removeUserData(CKM::ClientInfo(user));
return to_ckmc_error(ret);
}
@@ -71,9 +64,10 @@ KEY_MANAGER_CAPI
int ckmc_change_user_password(uid_t user, const char *oldPassword, const char *newPassword)
{
auto control = CKM::Control::create();
- int ret = control->changeUserPassword(user,
- _toPasswordStr(oldPassword),
- _toPasswordStr(newPassword));
+ int ret = control->changeUserPassword(
+ CKM::ClientInfo(user),
+ _toPasswordStr(oldPassword),
+ _toPasswordStr(newPassword));
return to_ckmc_error(ret);
}
@@ -81,7 +75,9 @@ KEY_MANAGER_CAPI
int ckmc_reset_user_password(uid_t user, const char *newPassword)
{
auto control = CKM::Control::create();
- int ret = control->resetUserPassword(user, _toPasswordStr(newPassword));
+ int ret = control->resetUserPassword(
+ CKM::ClientInfo(user),
+ _toPasswordStr(newPassword));
return to_ckmc_error(ret);
}
@@ -97,7 +93,21 @@ int ckmc_allow_access_by_adm(uid_t user, const char* owner, const char *alias, c
return ec;
// if label given twice, service will return an error
- return _ckmc_set_permission_by_adm(user, CKM::AliasSupport::merge(CKM::Label(owner), CKM::Name(alias)).c_str(), accessor, permissionMask);
+ return ckmc_set_permission_by_adm(user, CKM::AliasSupport::merge(CKM::Label(owner), CKM::Name(alias)).c_str(), accessor, permissionMask);
+}
+
+KEY_MANAGER_CAPI
+int ckmc_set_permission_by_adm(uid_t user, const char *alias, const char *accessor, int permissions)
+{
+ if (!alias || !accessor)
+ return CKMC_ERROR_INVALID_PARAMETER;
+
+ auto control = CKM::Control::create();
+ return to_ckmc_error(control->setPermission(
+ CKM::ClientInfo(user),
+ alias,
+ accessor,
+ permissions));
}
KEY_MANAGER_CAPI
@@ -109,8 +119,9 @@ int ckmc_deny_access_by_adm(uid_t user, const char* owner, const char *alias, co
// if label given twice, service will return an error
auto control = CKM::Control::create();
return to_ckmc_error(control->setPermission(
- user,
- CKM::AliasSupport::merge(CKM::Label(owner), CKM::Name(alias)).c_str(),
- accessor,
- CKM::Permission::NONE));
+ CKM::ClientInfo(user),
+ CKM::AliasSupport::merge(CKM::Label(owner),
+ CKM::Name(alias)).c_str(),
+ accessor,
+ CKM::Permission::NONE));
}
diff --git a/src/manager/client-capi/ckmc-manager.cpp b/src/manager/client-capi/ckmc-manager.cpp
index 1f3da2f..65bc9aa 100644
--- a/src/manager/client-capi/ckmc-manager.cpp
+++ b/src/manager/client-capi/ckmc-manager.cpp
@@ -14,10 +14,10 @@
* limitations under the License
*
*
- * @file ckmc-control.h
+ * @file ckmc-manager.cpp
* @author Yuseok Jeon(yuseok.jeon@samsung.com)
* @version 1.0
- * @brief provides conversion methods to C from C++ for key-manager control functions.
+ * @brief provides conversion methods to C from C++ for key-manager storage functions.
*/
#include <ckm/ckm-type.h>
@@ -27,7 +27,6 @@
#include <ckmc/ckmc-error.h>
#include <ckmc-type-converter.h>
#include <client-common.h>
-#include <iostream>
#include <string.h>
namespace
@@ -117,25 +116,6 @@ ckmc_cert_list_s *_toNewCkmCertList(const CKM::CertificateShPtrVector &certVecto
return start;
}
-int _ckmc_remove_alias(const char *alias)
-{
- if(!alias)
- return CKMC_ERROR_INVALID_PARAMETER;
-
- CKM::ManagerShPtr mgr = CKM::Manager::create();
- int ret = mgr->removeAlias(alias);
- return to_ckmc_error(ret);
-}
-
-int _ckmc_set_permission(const char *alias, const char *accessor, int permissions)
-{
- if (!alias || !accessor)
- return CKMC_ERROR_INVALID_PARAMETER;
-
- CKM::ManagerShPtr mgr = CKM::Manager::create();
- return to_ckmc_error(mgr->setPermission(alias, accessor, permissions));
-}
-
}
@@ -169,7 +149,7 @@ int ckmc_save_key(const char *alias, const ckmc_key_s key, const ckmc_policy_s p
KEY_MANAGER_CAPI
int ckmc_remove_key(const char *alias)
{
- return _ckmc_remove_alias(alias);
+ return ckmc_remove_alias(alias);
}
KEY_MANAGER_CAPI
@@ -264,7 +244,7 @@ int ckmc_save_cert(const char *alias, const ckmc_cert_s cert, const ckmc_policy_
KEY_MANAGER_CAPI
int ckmc_remove_cert(const char *alias)
{
- return _ckmc_remove_alias(alias);
+ return ckmc_remove_alias(alias);
}
KEY_MANAGER_CAPI
@@ -331,6 +311,95 @@ int ckmc_get_cert_alias_list(ckmc_alias_list_s** alias_list) {
}
KEY_MANAGER_CAPI
+int ckmc_save_pkcs12(const char *alias, const ckmc_pkcs12_s *ppkcs, const ckmc_policy_s key_policy, const ckmc_policy_s cert_policy)
+{
+ CKM::KeyShPtr private_key;
+ CKM::CertificateShPtr cert;
+ CKM::CertificateShPtrVector ca_cert_list;
+
+ if(alias==NULL || ppkcs==NULL) {
+ return CKMC_ERROR_INVALID_PARAMETER;
+ }
+ CKM::Alias ckmAlias(alias);
+ private_key = _toCkmKey(ppkcs->priv_key);
+ cert = _toCkmCertificate(ppkcs->cert);
+ ca_cert_list = _toCkmCertificateVector(ppkcs->ca_chain);
+
+ CKM::Policy keyPolicy(_tostring(key_policy.password), key_policy.extractable);
+ CKM::Policy certPolicy(_tostring(cert_policy.password), cert_policy.extractable);
+
+ CKM::PKCS12ShPtr pkcs12(new CKM::PKCS12Impl(private_key, cert, ca_cert_list));
+
+ CKM::ManagerShPtr mgr = CKM::Manager::create();
+ int ret = mgr->savePKCS12(ckmAlias, pkcs12, keyPolicy, certPolicy);
+
+ return to_ckmc_error(ret);
+}
+
+KEY_MANAGER_CAPI
+int ckmc_get_pkcs12(const char *alias, const char *key_password, const char *cert_password, ckmc_pkcs12_s **pkcs12)
+{
+ int ret;
+ CKM::PKCS12ShPtr pkcs;
+ CKM::Password keyPass, certPass;
+ ckmc_key_s *private_key = NULL;
+ ckmc_cert_s *cert = NULL;
+ ckmc_cert_list_s *ca_cert_list = 0;
+
+ if(!alias || !pkcs12) {
+ return CKMC_ERROR_INVALID_PARAMETER;
+ }
+
+ if (key_password)
+ keyPass = key_password;
+
+ if (cert_password)
+ certPass = cert_password;
+
+ auto mgr = CKM::Manager::create();
+
+ if((ret = mgr->getPKCS12(alias, keyPass, certPass, pkcs)) != CKM_API_SUCCESS) {
+ return to_ckmc_error(ret);
+ }
+
+ if(!pkcs)
+ return CKMC_ERROR_BAD_RESPONSE;
+
+ auto pkcsKey = pkcs->getKey();
+ if(pkcsKey)
+ {
+ CKM::RawBuffer buffer = pkcsKey->getDER();
+ ckmc_key_type_e keyType = static_cast<ckmc_key_type_e>(pkcsKey->getType());
+ ret = ckmc_key_new(buffer.data(), buffer.size(), keyType, NULL, &private_key);
+ if(ret != CKMC_ERROR_NONE)
+ return ret;
+ }
+
+ auto pkcsCert = pkcs->getCertificate();
+ if(pkcsCert)
+ {
+ CKM::RawBuffer buffer = pkcsCert->getDER();
+ ret = ckmc_cert_new(buffer.data(), buffer.size(), CKMC_FORM_DER, &cert);
+ if(ret != CKMC_ERROR_NONE) {
+ ckmc_key_free(private_key);
+ return ret;
+ }
+ }
+
+ ca_cert_list = _toNewCkmCertList(pkcs->getCaCertificateShPtrVector());
+
+ ret = ckmc_pkcs12_new(private_key, cert, ca_cert_list, pkcs12);
+ if(ret != CKMC_ERROR_NONE)
+ {
+ ckmc_key_free(private_key);
+ ckmc_cert_free(cert);
+ ckmc_cert_list_free(ca_cert_list);
+ }
+ return ret;
+}
+
+
+KEY_MANAGER_CAPI
int ckmc_save_data(const char *alias, ckmc_raw_buffer_s data, const ckmc_policy_s policy)
{
if(alias == NULL) {
@@ -354,7 +423,7 @@ int ckmc_save_data(const char *alias, ckmc_raw_buffer_s data, const ckmc_policy_
KEY_MANAGER_CAPI
int ckmc_remove_data(const char *alias)
{
- return _ckmc_remove_alias(alias);
+ return ckmc_remove_alias(alias);
}
KEY_MANAGER_CAPI
@@ -616,6 +685,64 @@ int ckmc_get_cert_chain_with_alias(const ckmc_cert_s *cert, const ckmc_alias_lis
}
KEY_MANAGER_CAPI
+int ckmc_get_cert_chain_with_trustedcert(const ckmc_cert_s* cert,
+ const ckmc_cert_list_s* untrustedcerts,
+ const ckmc_cert_list_s* trustedcerts,
+ const bool sys_certs,
+ ckmc_cert_list_s** ppcert_chain_list)
+{
+ int ret;
+ CKM::ManagerShPtr mgr = CKM::Manager::create();
+ CKM::CertificateShPtrVector ckm_cert_chain;
+
+ if(cert == NULL || cert->raw_cert == NULL || cert->cert_size <= 0 || ppcert_chain_list == NULL) {
+ return CKMC_ERROR_INVALID_PARAMETER;
+ }
+ CKM::CertificateShPtr ckm_cert = _toCkmCertificate(cert);
+
+ if(ckm_cert.get() == NULL) {
+ return CKMC_ERROR_INVALID_PARAMETER;
+ }
+
+ CKM::CertificateShPtrVector ckm_untrusted = _toCkmCertificateVector(untrustedcerts);
+ CKM::CertificateShPtrVector ckm_trusted = _toCkmCertificateVector(trustedcerts);
+
+ ret = mgr->getCertificateChain(ckm_cert, ckm_untrusted, ckm_trusted, sys_certs, ckm_cert_chain);
+ if( ret != CKM_API_SUCCESS) {
+ return to_ckmc_error(ret);
+ }
+
+ *ppcert_chain_list = _toNewCkmCertList(ckm_cert_chain);
+
+ return CKMC_ERROR_NONE;
+}
+
+KEY_MANAGER_CAPI
+int ckmc_ocsp_check(const ckmc_cert_list_s *pcert_chain_list, ckmc_ocsp_status_e *ocsp_status)
+{
+ if (pcert_chain_list == NULL
+ || pcert_chain_list->cert == NULL
+ || pcert_chain_list->cert->raw_cert == NULL
+ || pcert_chain_list->cert->cert_size <= 0
+ || ocsp_status == NULL) {
+ return CKMC_ERROR_INVALID_PARAMETER;
+ }
+
+ int ret = CKMC_ERROR_UNKNOWN;
+ int tmpOcspStatus = -1;
+ CKM::ManagerShPtr mgr = CKM::Manager::create();
+ CKM::CertificateShPtrVector ckmCertChain = _toCkmCertificateVector(pcert_chain_list);
+
+ if (ckmCertChain.size() < 2) {
+ return CKMC_ERROR_INVALID_PARAMETER;
+ }
+
+ ret = mgr->ocspCheck(ckmCertChain, tmpOcspStatus);
+ *ocsp_status = to_ckmc_ocsp_status(tmpOcspStatus);
+ return to_ckmc_error(ret);
+}
+
+KEY_MANAGER_CAPI
int ckmc_allow_access(const char *alias, const char *accessor, ckmc_access_right_e granted)
{
int ec, permissionMask;
@@ -623,7 +750,17 @@ int ckmc_allow_access(const char *alias, const char *accessor, ckmc_access_right
if(ec != CKMC_ERROR_NONE)
return ec;
- return _ckmc_set_permission(alias, accessor, permissionMask);
+ return ckmc_set_permission(alias, accessor, permissionMask);
+}
+
+KEY_MANAGER_CAPI
+int ckmc_set_permission(const char *alias, const char *accessor, int permissions)
+{
+ if (!alias || !accessor)
+ return CKMC_ERROR_INVALID_PARAMETER;
+
+ CKM::ManagerShPtr mgr = CKM::Manager::create();
+ return to_ckmc_error(mgr->setPermission(alias, accessor, permissions));
}
KEY_MANAGER_CAPI
@@ -635,3 +772,14 @@ int ckmc_deny_access(const char *alias, const char *accessor)
CKM::ManagerShPtr mgr = CKM::Manager::create();
return to_ckmc_error(mgr->setPermission(alias, accessor, CKM::Permission::NONE));
}
+
+KEY_MANAGER_CAPI
+int ckmc_remove_alias(const char *alias)
+{
+ if(!alias)
+ return CKMC_ERROR_INVALID_PARAMETER;
+
+ CKM::ManagerShPtr mgr = CKM::Manager::create();
+ int ret = mgr->removeAlias(alias);
+ return to_ckmc_error(ret);
+}
diff --git a/src/manager/client-capi/ckmc-type-converter.cpp b/src/manager/client-capi/ckmc-type-converter.cpp
index 479e327..97fcfe7 100644
--- a/src/manager/client-capi/ckmc-type-converter.cpp
+++ b/src/manager/client-capi/ckmc-type-converter.cpp
@@ -23,12 +23,6 @@
#include <ckmc/ckmc-type.h>
#include <ckmc-type-converter.h>
-typedef enum __ckmc_permission{
- CKMC_PERMISSION_NONE = 0x00, /**< clear permissions */
- CKMC_PERMISSION_READ = 0x01, /**< read allowed */
- CKMC_PERMISSION_REMOVE = 0x02 /**< remove allowed */
-} ckmc_permission_e;
-
int to_ckm_error(int ckmc_error) {
switch(ckmc_error) {
case CKMC_ERROR_NONE: return CKM_API_SUCCESS;
@@ -52,9 +46,10 @@ int to_ckm_error(int ckmc_error) {
case CKMC_ERROR_FILE_ACCESS_DENIED: return CKM_API_ERROR_FILE_ACCESS_DENIED;
case CKMC_ERROR_NOT_EXPORTABLE: return CKM_API_ERROR_NOT_EXPORTABLE;
case CKMC_ERROR_FILE_SYSTEM: return CKM_API_ERROR_FILE_SYSTEM;
+ case CKMC_ERROR_NOT_SUPPORTED: return CKM_API_ERROR_NOT_SUPPORTED;
case CKMC_ERROR_UNKNOWN: return CKM_API_ERROR_UNKNOWN;
}
- return CKMC_ERROR_UNKNOWN;
+ return CKM_API_ERROR_UNKNOWN;
}
int to_ckmc_error(int ckm_error) {
@@ -80,11 +75,26 @@ int to_ckmc_error(int ckm_error) {
case CKM_API_ERROR_FILE_ACCESS_DENIED: return CKMC_ERROR_FILE_ACCESS_DENIED;
case CKM_API_ERROR_NOT_EXPORTABLE: return CKMC_ERROR_NOT_EXPORTABLE;
case CKM_API_ERROR_FILE_SYSTEM: return CKMC_ERROR_FILE_SYSTEM;
+ case CKM_API_ERROR_NOT_SUPPORTED: return CKMC_ERROR_NOT_SUPPORTED;
case CKM_API_ERROR_UNKNOWN: return CKMC_ERROR_UNKNOWN;
}
return CKMC_ERROR_UNKNOWN;
}
+ckmc_ocsp_status_e to_ckmc_ocsp_status(int ckm_ocsp_status) {
+ switch(ckm_ocsp_status) {
+ case CKM_API_OCSP_STATUS_GOOD: return CKMC_OCSP_STATUS_GOOD;
+ case CKM_API_OCSP_STATUS_UNSUPPORTED: return CKMC_OCSP_ERROR_UNSUPPORTED;
+ case CKM_API_OCSP_STATUS_REVOKED: return CKMC_OCSP_STATUS_REVOKED;
+ case CKM_API_OCSP_STATUS_NET_ERROR: return CKMC_OCSP_ERROR_NET;
+ case CKM_API_OCSP_STATUS_INVALID_URL: return CKMC_OCSP_ERROR_INVALID_URL;
+ case CKM_API_OCSP_STATUS_INVALID_RESPONSE: return CKMC_OCSP_ERROR_INVALID_RESPONSE;
+ case CKM_API_OCSP_STATUS_REMOTE_ERROR: return CKMC_OCSP_ERROR_REMOTE;
+ case CKM_API_OCSP_STATUS_INTERNAL_ERROR: return CKMC_OCSP_ERROR_INTERNAL;
+ default: return CKMC_OCSP_STATUS_UNKNOWN;
+ }
+}
+
int access_to_permission_mask(ckmc_access_right_e ar, int & permissionMask)
{
switch(ar)
diff --git a/src/manager/client-capi/ckmc-type-converter.h b/src/manager/client-capi/ckmc-type-converter.h
index 20dbb1c..1de3325 100644
--- a/src/manager/client-capi/ckmc-type-converter.h
+++ b/src/manager/client-capi/ckmc-type-converter.h
@@ -33,6 +33,7 @@ extern "C" {
int to_ckmc_error(int ckm_error);
int to_ckm_error(int ckmc_error);
+ckmc_ocsp_status_e to_ckmc_ocsp_status(int ckm_ocsp_status);
int access_to_permission_mask(ckmc_access_right_e ar, int & permissionMask);
#ifdef __cplusplus
diff --git a/src/manager/client-capi/ckmc-type.cpp b/src/manager/client-capi/ckmc-type.cpp
index 41c718a..5775929 100644
--- a/src/manager/client-capi/ckmc-type.cpp
+++ b/src/manager/client-capi/ckmc-type.cpp
@@ -202,6 +202,30 @@ void ckmc_cert_free(ckmc_cert_s *cert)
}
KEY_MANAGER_CAPI
+int ckmc_pkcs12_new(ckmc_key_s *private_key, ckmc_cert_s *cert,
+ ckmc_cert_list_s *ca_cert_list, ckmc_pkcs12_s **pkcs12_bundle)
+{
+ ckmc_pkcs12_s *pkcs12;
+
+ if(!pkcs12_bundle ||
+ (private_key==NULL && cert==NULL && (ca_cert_list==NULL || ca_cert_list->cert==NULL))) {
+ return CKMC_ERROR_INVALID_PARAMETER;
+ }
+
+ pkcs12 = static_cast<ckmc_pkcs12_s*>(malloc(sizeof(ckmc_pkcs12_s)));
+ if(pkcs12 == NULL) {
+ return CKMC_ERROR_OUT_OF_MEMORY;
+ }
+ // ownership is transferred into pkcs12 - mentioned in the docs
+ pkcs12->priv_key = private_key;
+ pkcs12->cert = cert;
+ pkcs12->ca_chain = ca_cert_list;
+
+ *pkcs12_bundle = pkcs12;
+ return CKMC_ERROR_NONE;
+}
+
+KEY_MANAGER_CAPI
int ckmc_load_from_pkcs12_file(const char *file_path, const char *passphrase, ckmc_key_s **private_key, ckmc_cert_s **ckmcert, ckmc_cert_list_s **ca_cert_list)
{
class Pkcs12Converter {
@@ -368,6 +392,45 @@ int ckmc_load_from_pkcs12_file(const char *file_path, const char *passphrase, ck
}
KEY_MANAGER_CAPI
+int ckmc_pkcs12_load(const char *file_path, const char *passphrase, ckmc_pkcs12_s **pkcs12_bundle)
+{
+ int ec;
+ ckmc_key_s *private_key = 0;
+ ckmc_cert_s *cert = 0;
+ ckmc_cert_list_s *ca_cert_list = 0;
+
+ if(!file_path || !pkcs12_bundle)
+ return CKMC_ERROR_INVALID_PARAMETER;
+
+ ec = ckmc_load_from_pkcs12_file(file_path, passphrase, &private_key, &cert, &ca_cert_list);
+ if(ec != CKMC_ERROR_NONE)
+ return ec;
+
+ ec = ckmc_pkcs12_new(private_key, cert, ca_cert_list, pkcs12_bundle);
+ if(ec != CKMC_ERROR_NONE)
+ {
+ ckmc_key_free(private_key);
+ ckmc_cert_free(cert);
+ ckmc_cert_list_free(ca_cert_list);
+ return ec;
+ }
+
+ return CKMC_ERROR_NONE;
+}
+
+KEY_MANAGER_CAPI
+void ckmc_pkcs12_free(ckmc_pkcs12_s *pkcs12)
+{
+ if(pkcs12 == NULL)
+ return;
+
+ ckmc_key_free(pkcs12->priv_key);
+ ckmc_cert_free(pkcs12->cert);
+ ckmc_cert_list_all_free(pkcs12->ca_chain);
+ free(pkcs12);
+}
+
+KEY_MANAGER_CAPI
int ckmc_alias_list_new(char *alias, ckmc_alias_list_s **ppalias_list)
{
ckmc_alias_list_s *previous = NULL;
diff --git a/src/manager/client/client-control.cpp b/src/manager/client/client-control.cpp
index 37cbf66..f29ba0a 100644
--- a/src/manager/client/client-control.cpp
+++ b/src/manager/client/client-control.cpp
@@ -15,10 +15,10 @@
* See the License for the specific language governing permissions and
* limitations under the License
*
- * @file client-common.cpp
+ * @file client-control.cpp
* @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
* @version 1.0
- * @brief This file is implementation of client-common functions.
+ * @brief This file is implementation of client-control functions.
*/
#include <dpl/log/log.h>
@@ -38,15 +38,15 @@ public:
ControlImpl& operator=(const ControlImpl &) = delete;
ControlImpl& operator=(ControlImpl &&) = delete;
- virtual int unlockUserKey(uid_t user, const Password &password) {
+ virtual int unlockUserKey(const ClientInfo &clientInfo, const Password &password) {
return try_catch([&] {
- if((int)user < 0) {
+ if((int)clientInfo.getUID() < 0) {
return CKM_API_ERROR_INPUT_PARAM;
}
MessageBuffer recv;
auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::UNLOCK_USER_KEY),
- user,
+ clientInfo.getClientID(),
password);
int retCode = m_controlConnection.processRequest(send.Pop(), recv);
@@ -59,14 +59,15 @@ public:
});
}
- virtual int lockUserKey(uid_t user) {
+ virtual int lockUserKey(const ClientInfo &clientInfo) {
return try_catch([&] {
- if((int)user < 0) {
+ if((int)clientInfo.getUID() < 0) {
return CKM_API_ERROR_INPUT_PARAM;
}
MessageBuffer recv;
- auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::LOCK_USER_KEY), user);
+ auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::LOCK_USER_KEY),
+ clientInfo.getClientID());
int retCode = m_controlConnection.processRequest(send.Pop(), recv);
if (CKM_API_SUCCESS != retCode)
@@ -77,15 +78,15 @@ public:
return retCode;
});
}
-
- virtual int removeUserData(uid_t user) {
+ virtual int removeUserData(const ClientInfo &clientInfo) {
return try_catch([&] {
- if((int)user < 0) {
+ if((int)clientInfo.getUID() < 0) {
return CKM_API_ERROR_INPUT_PARAM;
}
MessageBuffer recv;
- auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::REMOVE_USER_DATA), user);
+ auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::REMOVE_USER_DATA),
+ clientInfo.getClientID());
int retCode = m_controlConnection.processRequest(send.Pop(), recv);
if (CKM_API_SUCCESS != retCode)
@@ -96,17 +97,16 @@ public:
return retCode;
});
}
-
- virtual int changeUserPassword(uid_t user, const Password &oldPassword, const Password &newPassword) {
+ virtual int changeUserPassword(const ClientInfo &clientInfo, const Password &oldPassword, const Password &newPassword) {
return try_catch([&] {
- if((int)user < 0) {
+ if((int)clientInfo.getUID() < 0) {
return CKM_API_ERROR_INPUT_PARAM;
}
MessageBuffer recv;
auto send = MessageBuffer::Serialize(
static_cast<int>(ControlCommand::CHANGE_USER_PASSWORD),
- user,
+ clientInfo.getClientID(),
oldPassword,
newPassword);
@@ -120,16 +120,16 @@ public:
});
}
- virtual int resetUserPassword(uid_t user, const Password &newPassword) {
+ virtual int resetUserPassword(const ClientInfo &clientInfo, const Password &newPassword) {
return try_catch([&] {
- if((int)user < 0) {
+ if((int)clientInfo.getUID() < 0) {
return CKM_API_ERROR_INPUT_PARAM;
}
MessageBuffer recv;
auto send = MessageBuffer::Serialize(
static_cast<int>(ControlCommand::RESET_USER_PASSWORD),
- user,
+ clientInfo.getClientID(),
newPassword);
int retCode = m_controlConnection.processRequest(send.Pop(), recv);
@@ -142,14 +142,16 @@ public:
});
}
- virtual int removeApplicationData(const Label &smackLabel) {
+ virtual int removeApplicationData(const std::string &zone, const Label &smackLabel) {
return try_catch([&] {
if (smackLabel.empty()) {
return CKM_API_ERROR_INPUT_PARAM;
}
MessageBuffer recv;
- auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::REMOVE_APP_DATA), smackLabel);
+ auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::REMOVE_APP_DATA),
+ zone,
+ smackLabel);
int retCode = m_controlConnection.processRequest(send.Pop(), recv);
if (CKM_API_SUCCESS != retCode)
@@ -176,7 +178,7 @@ public:
});
}
- virtual int setPermission(uid_t user,
+ virtual int setPermission(const ClientInfo &clientInfo,
const Alias &alias,
const Label &accessor,
PermissionMask permissionMask)
@@ -185,7 +187,7 @@ public:
MessageBuffer recv;
AliasSupport helper(alias);
auto send = MessageBuffer::Serialize(static_cast<int>(ControlCommand::SET_PERMISSION),
- static_cast<int>(user),
+ clientInfo.getClientID(),
helper.getName(),
helper.getLabel(),
accessor,
diff --git a/src/manager/client/client-manager-impl.cpp b/src/manager/client/client-manager-impl.cpp
index b27e180..cae0973 100644
--- a/src/manager/client/client-manager-impl.cpp
+++ b/src/manager/client/client-manager-impl.cpp
@@ -33,9 +33,8 @@
namespace CKM {
-namespace {
template <class T>
-int getCertChain(
+int ManagerImpl::getCertChain(
ServiceConnection & serviceConnection,
LogicCommand command,
int counter,
@@ -61,8 +60,11 @@ int getCertChain(
int retCommand;
int retCounter;
+ bool retCCModeState;
RawBufferVector rawBufferVector;
- recv.Deserialize(retCommand, retCounter, retCode, rawBufferVector);
+ recv.Deserialize(retCommand, retCounter, retCode, rawBufferVector, retCCModeState);
+
+ LogDebug("CCModeState[" << (retCCModeState ? "TRUE" : "FALSE") << "]");
if ((counter != retCounter) || (static_cast<int>(command) != retCommand)) {
return CKM_API_ERROR_UNKNOWN;
@@ -79,12 +81,19 @@ int getCertChain(
certificateChainVector.push_back(cert);
}
+ if (retCCModeState) {
+ int ocspStatus;
+ retCode = ocspCheck(certificateChainVector, ocspStatus);
+
+ if ((retCode == CKM_API_SUCCESS) && (ocspStatus != CKM_API_OCSP_STATUS_GOOD)) {
+ retCode = CKM_API_ERROR_VERIFICATION_FAILED;
+ }
+ }
+
return retCode;
});
}
-} // namespace anonymous
-
ManagerImpl::ManagerImpl()
: m_counter(0), m_storageConnection(SERVICE_SOCKET_CKM_STORAGE), m_ocspConnection(SERVICE_SOCKET_OCSP)
{
diff --git a/src/manager/client/client-manager-impl.h b/src/manager/client/client-manager-impl.h
index 8111150..ff70fdf 100644
--- a/src/manager/client/client-manager-impl.h
+++ b/src/manager/client/client-manager-impl.h
@@ -90,6 +90,7 @@ public:
bool useTrustedSystemCertificates,
CertificateShPtrVector &certificateChainVector);
+
int createSignature(
const Alias &privateKeyAlias,
const Password &password, // password for private_key
@@ -136,6 +137,17 @@ protected:
const Policy &policyPrivateKey,
const Policy &policyPublicKey);
+ template <class T>
+ int getCertChain(
+ ServiceConnection & serviceConnection,
+ LogicCommand command,
+ int counter,
+ const CertificateShPtr &certificate,
+ const T &untrustedVector,
+ const T &trustedVector,
+ bool useTrustedSystemCertificates,
+ CertificateShPtrVector &certificateChainVector);
+
int m_counter;
CKM::ServiceConnection m_storageConnection;
CKM::ServiceConnection m_ocspConnection;
diff --git a/src/manager/common/client-info-impl.cpp b/src/manager/common/client-info-impl.cpp
new file mode 100644
index 0000000..e5b268e
--- /dev/null
+++ b/src/manager/common/client-info-impl.cpp
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ *
+ *
+ * @file client-info-impl.cpp
+ * @author Kyungwook Tak (k.tak@samsung.com)
+ * @version 1.0
+ * @brief ClientInfo implementation.
+ */
+
+#include <ckm/ckm-client-info.h>
+
+namespace CKM {
+ const std::string ClientInfo::ZONE_DEFAULT = "host";
+ const std::string ClientInfo::DELIMITER = "-";
+
+
+uid_t ClientInfo::getUID() const
+{
+ return m_uid;
+}
+
+ClientInfo::~ClientInfo()
+{
+}
+
+ClientInfo::ClientInfo(const std::string &zone, const uid_t uid)
+ : m_zone(zone), m_uid(uid)
+{
+}
+
+ClientInfo::ClientInfo(const uid_t uid)
+ : m_zone(ZONE_DEFAULT), m_uid(uid)
+{
+}
+
+ClientID ClientInfo::getClientID() const
+{
+#ifdef DB_PER_ZONE_ENABLE
+ return ClientID(m_zone
+ + DELIMITER
+ + std::to_string(m_uid));
+#else
+ return ClientID(std::to_string(m_uid));
+#endif
+}
+
+std::string ClientInfo::getZone() const
+{
+ return m_zone;
+}
+
+} // namespace CKM
diff --git a/src/manager/common/key-impl.cpp b/src/manager/common/key-impl.cpp
index 47bc69b..ae70dbb 100644
--- a/src/manager/common/key-impl.cpp
+++ b/src/manager/common/key-impl.cpp
@@ -98,12 +98,12 @@ KeyImpl::KeyImpl(const KeyImpl &second) {
m_type = second.m_type;
}
-KeyImpl &KeyImpl::operator=(const KeyImpl &second)
-{
- if (&second != this) {
- m_pkey = second.getEvpShPtr();
- m_type = second.getType();
- }
+KeyImpl &KeyImpl::operator=(const KeyImpl &second) {
+ if (this == &second)
+ return *this;
+
+ m_pkey = second.m_pkey;
+ m_type = second.m_type;
return *this;
}
diff --git a/src/manager/common/key-impl.h b/src/manager/common/key-impl.h
index 1360627..826ca4f 100644
--- a/src/manager/common/key-impl.h
+++ b/src/manager/common/key-impl.h
@@ -36,7 +36,6 @@ public:
KeyImpl();
KeyImpl(const KeyImpl &second);
KeyImpl &operator=(const KeyImpl &second);
-
KeyImpl(const RawBuffer& buffer, const Password &password = Password());
KeyImpl(EvpShPtr pkey, KeyType type);
diff --git a/src/manager/common/protocols.cpp b/src/manager/common/protocols.cpp
index e86e180..aa4a273 100644
--- a/src/manager/common/protocols.cpp
+++ b/src/manager/common/protocols.cpp
@@ -34,62 +34,29 @@ char const * const SERVICE_SOCKET_CKM_STORAGE = "/tmp/.central-key-manager-api-s
char const * const SERVICE_SOCKET_OCSP = "/tmp/.central-key-manager-api-ocsp.sock";
char const * const LABEL_NAME_SEPARATOR = " ";
-PolicySerializable::PolicySerializable()
-{}
-
-
+PolicySerializable::PolicySerializable() {}
+PolicySerializable::~PolicySerializable() {}
PolicySerializable::PolicySerializable(const Policy &policy)
: Policy(policy)
{}
-PolicySerializable::PolicySerializable(IStream &stream) {
- Deserialization::Deserialize(stream, password);
- Deserialization::Deserialize(stream, extractable);
-}
-
void PolicySerializable::Serialize(IStream &stream) const {
Serialization::Serialize(stream, password);
Serialization::Serialize(stream, extractable);
}
+void PolicySerializable::Deserialize(IStream &stream) {
+ Deserialization::Deserialize(stream, password);
+ Deserialization::Deserialize(stream, extractable);
+}
+
PKCS12Serializable::PKCS12Serializable() {}
+PKCS12Serializable::~PKCS12Serializable() {}
PKCS12Serializable::PKCS12Serializable(const PKCS12 &pkcs)
: PKCS12Impl(pkcs)
{}
-PKCS12Serializable::PKCS12Serializable(IStream &stream)
-{
- // key
- size_t numKeys;
- Deserialization::Deserialize(stream, numKeys);
- if(numKeys > 0) {
- int keyType;
- RawBuffer keyData;
- Deserialization::Deserialize(stream, keyType);
- Deserialization::Deserialize(stream, keyData);
- m_pkey = CKM::Key::create(keyData);
- }
-
- // cert
- size_t numCerts;
- Deserialization::Deserialize(stream, numCerts);
- if(numCerts > 0) {
- RawBuffer certData;
- Deserialization::Deserialize(stream, certData);
- m_cert = CKM::Certificate::create(certData, DataFormat::FORM_DER);
- }
-
- // CA chain
- size_t num_CA;
- Deserialization::Deserialize(stream, num_CA);
- for(size_t i=0; i<num_CA; i++)
- {
- RawBuffer CAcertData;
- Deserialization::Deserialize(stream, CAcertData);
- m_ca.push_back(CKM::Certificate::create(CAcertData, DataFormat::FORM_DER));
- }
-}
PKCS12Serializable::PKCS12Serializable(const KeyShPtr &privKey, const CertificateShPtr &cert, const CertificateShPtrVector &chainCerts)
{
m_pkey = privKey;
@@ -123,7 +90,40 @@ void PKCS12Serializable::Serialize(IStream &stream) const
Serialization::Serialize(stream, getCaCertificateShPtrVector().size());
for(auto it : getCaCertificateShPtrVector())
Serialization::Serialize(stream, it->getDER());
-};
+}
+
+void PKCS12Serializable::Deserialize(IStream &stream)
+{
+ // key
+ size_t numKeys;
+ Deserialization::Deserialize(stream, numKeys);
+ if(numKeys > 0) {
+ int keyType;
+ RawBuffer keyData;
+ Deserialization::Deserialize(stream, keyType);
+ Deserialization::Deserialize(stream, keyData);
+ m_pkey = CKM::Key::create(keyData);
+ }
+
+ // cert
+ size_t numCerts;
+ Deserialization::Deserialize(stream, numCerts);
+ if(numCerts > 0) {
+ RawBuffer certData;
+ Deserialization::Deserialize(stream, certData);
+ m_cert = CKM::Certificate::create(certData, DataFormat::FORM_DER);
+ }
+
+ // CA chain
+ size_t num_CA;
+ Deserialization::Deserialize(stream, num_CA);
+ for(size_t i=0; i<num_CA; i++)
+ {
+ RawBuffer CAcertData;
+ Deserialization::Deserialize(stream, CAcertData);
+ m_ca.push_back(CKM::Certificate::create(CAcertData, DataFormat::FORM_DER));
+ }
+}
} // namespace CKM
diff --git a/src/manager/common/protocols.h b/src/manager/common/protocols.h
index 302ff54..2de2443 100644
--- a/src/manager/common/protocols.h
+++ b/src/manager/common/protocols.h
@@ -247,20 +247,22 @@ class IStream;
struct COMMON_API PolicySerializable : public Policy, ISerializable {
PolicySerializable();
+ ~PolicySerializable();
explicit PolicySerializable(const Policy &);
- explicit PolicySerializable(IStream &);
void Serialize(IStream &) const;
+ void Deserialize(IStream &);
};
struct COMMON_API PKCS12Serializable : public PKCS12Impl, ISerializable {
PKCS12Serializable();
+ ~PKCS12Serializable();
explicit PKCS12Serializable(const PKCS12 &);
- explicit PKCS12Serializable(IStream &);
PKCS12Serializable(
const KeyShPtr &privKey,
const CertificateShPtr &cert,
const CertificateShPtrVector &chainCerts);
void Serialize(IStream &) const;
+ void Deserialize(IStream &);
};
} // namespace CKM
diff --git a/src/manager/dpl/core/include/dpl/serialization.h b/src/manager/dpl/core/include/dpl/serialization.h
index 581fedd..078607d 100644
--- a/src/manager/dpl/core/include/dpl/serialization.h
+++ b/src/manager/dpl/core/include/dpl/serialization.h
@@ -47,6 +47,7 @@ class ISerializable
/* ISerializable(){};
* ISerializable(IStream&){}; */
virtual void Serialize(IStream &) const = 0;
+ virtual void Deserialize(IStream &) = 0;
virtual ~ISerializable(){}
};
@@ -253,12 +254,12 @@ struct Deserialization {
template <typename T>
static void Deserialize(IStream& stream, T& object)
{
- object = T(stream);
+ object.Deserialize(stream);
}
template <typename T>
static void Deserialize(IStream& stream, T*& object)
{
- object = new T(stream);
+ object->Deserialize(stream);
}
// char
diff --git a/src/manager/dpl/core/src/exception.cpp b/src/manager/dpl/core/src/exception.cpp
index 32d6024..792c97f 100644
--- a/src/manager/dpl/core/src/exception.cpp
+++ b/src/manager/dpl/core/src/exception.cpp
@@ -22,6 +22,7 @@
#include <stddef.h>
#include <dpl/exception.h>
#include <dpl/log/log.h>
+#include <cstdio>
namespace CKM {
Exception* Exception::m_lastException = NULL;
@@ -30,6 +31,9 @@ void (*Exception::m_terminateHandler)() = NULL;
void LogUnhandledException(const std::string &str)
{
+ // Logging to console
+ printf("%s\n", str.c_str());
+
// Logging to dlog
LogPedantic(str);
}
@@ -39,6 +43,13 @@ void LogUnhandledException(const std::string &str,
int line,
const char *function)
{
+ // Logging to console
+ std::ostringstream msg;
+ msg << "\033[1;5;31m\n=== [" << filename << ":" << line << "] " <<
+ function << " ===\033[m";
+ msg << str;
+ printf("%s\n", msg.str().c_str());
+
// Logging to dlog
CKM::Log::LogSystemSingleton::Instance().Log(CKM::Log::AbstractLogProvider::LogLevel::Error,
str.c_str(),
diff --git a/src/manager/dpl/db/src/sql_connection.cpp b/src/manager/dpl/db/src/sql_connection.cpp
index e71918d..7214a73 100644
--- a/src/manager/dpl/db/src/sql_connection.cpp
+++ b/src/manager/dpl/db/src/sql_connection.cpp
@@ -629,13 +629,13 @@ boost::optional<RawBuffer> SqlConnection::DataCommand::GetColumnOptionalBlob(
}
const unsigned char *value = reinterpret_cast<const unsigned char*>(
sqlcipher3_column_blob(m_stmt, column));
+ if (!value) {
+ return boost::optional<RawBuffer>();
+ }
int length = sqlcipher3_column_bytes(m_stmt, column);
LogPedantic("Got blob of length: " << length);
- if (!value)
- return boost::optional<RawBuffer>();
-
RawBuffer temp(value, value + length);
return boost::optional<RawBuffer>(temp);
}
diff --git a/src/manager/dpl/log/src/log.cpp b/src/manager/dpl/log/src/log.cpp
index 1707ebe..d460871 100644
--- a/src/manager/dpl/log/src/log.cpp
+++ b/src/manager/dpl/log/src/log.cpp
@@ -53,9 +53,7 @@ const char * const CONSOLE = "CONSOLE";
const char * const DLOG = "DLOG";
const char * const JOURNALD = "JOURNALD";
-const char * DEFAULT_PROVIDER = "DLOG";
-const char * DEFAULT_LEVEL = "1";
-
+const char * const NO_ENV_SET = "NO_ENV_VARIABLE";
} // namespace anonymous
LogSystem::LogSystem() : m_providerCtor({
@@ -66,19 +64,17 @@ LogSystem::LogSystem() : m_providerCtor({
{ JOURNALD, []{ return static_cast<AbstractLogProvider*>(new JournalLogProvider()); } }
})
{
- const char *env_level = getenv(CKM_LOG_LEVEL);
- if (!env_level)
- env_level = DEFAULT_LEVEL;
-
- SetLogLevel(env_level);
+ const char* logLevel = getenv(CKM_LOG_LEVEL);
+ if(logLevel == NULL)
+ logLevel = NO_ENV_SET; // To solve a prevent issue
+ SetLogLevel(logLevel);
AbstractLogProvider* prv = NULL;
+ const char* logProvider = getenv(CKM_LOG_PROVIDER);
+ if(logProvider == NULL)
+ logProvider = NO_ENV_SET; // To solve a prevent issue
try {
- const char *env_provider = getenv(CKM_LOG_PROVIDER);
- if (!env_provider)
- env_provider = DEFAULT_PROVIDER;
-
- prv = m_providerCtor.at(env_provider)();
+ prv = m_providerCtor.at(logProvider)();
} catch(const std::exception&) {
prv = m_providerCtor[DLOG]();
}
diff --git a/src/manager/listener/listener-thread.cpp b/src/manager/listener/listener-thread.cpp
new file mode 100644
index 0000000..9722e65
--- /dev/null
+++ b/src/manager/listener/listener-thread.cpp
@@ -0,0 +1,159 @@
+/*
+ * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file listener-daemon.cpp
+ * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ * @brief Listener daemon handle some events for key-manager.
+ */
+
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <thread>
+#include <glib.h>
+#include <ckm/ckm-control.h>
+#include <ckm/ckm-type.h>
+#include <dlog.h>
+#include <listener-thread.h>
+
+
+#include <map>
+#include <utility>
+#include <string>
+#include <package-manager-zone.h>
+
+#define CKM_LISTENER_TAG "CKM_LISTENER"
+
+#define LISTENER_SLOGD(format, arg...) SLOG(LOG_DEBUG, CKM_LISTENER_TAG, format, ##arg)
+#define LISTENER_SLOGE(format, arg...) SLOG(LOG_ERROR, CKM_LISTENER_TAG, format, ##arg)
+
+namespace { // anonymous namespace
+const char *const ZONE_DEFAULT = "host";
+typedef std::pair<std::string, CKM::Label> PkgmgrEvent;
+typedef std::map<const int, PkgmgrEvent> EventMap;
+
+int _pkgmgr_event_callback(
+ int req_id,
+ const char *pkg_type,
+ const char *pkgid,
+ const char *key,
+ const char *val,
+ const void *pmsg,
+ void *data,
+ const char *zone)
+{
+ (void) pmsg;
+ EventMap *eventMap = static_cast<EventMap *>(data);
+
+ LISTENER_SLOGD(
+ "req_id(%d), pkg_type(%s), pkgid(%s), key(%s), val(%s)",
+ req_id, pkg_type, pkgid, key, val);
+
+ // uninstall package start event
+ if (strncmp(key, "start", strlen(key)) == 0
+ && strncmp(val, "uninstall", strlen(val)) == 0) {
+ if (zone) {
+ eventMap->insert(
+ std::pair<const int, PkgmgrEvent>(
+ req_id,
+ PkgmgrEvent(std::string(zone), CKM::Label(pkgid))
+ )
+ );
+ }
+ else {
+ eventMap->insert(
+ std::pair<const int, PkgmgrEvent>(
+ req_id,
+ PkgmgrEvent(std::string(ZONE_DEFAULT), CKM::Label(pkgid))
+ )
+ );
+ }
+ return 0;
+ }
+ // uninstall package success event
+ else if (strncmp(key, "end", strlen(key)) == 0
+ && strncmp(val, "ok", strlen(val)) == 0) {
+ EventMap::iterator it;
+ it = eventMap->find(req_id);
+
+ if (it == eventMap->end()) {
+ LISTENER_SLOGE("cannot find req_id(%d) in eventMap. Maybe not in case of uninstallation.", req_id);
+ }
+ else {
+ LISTENER_SLOGD("Uninstallation success. pkgid(%s)", pkgid);
+
+ auto control = CKM::Control::create();
+ int ret = control->removeApplicationData(std::get<0>(it->second), std::get<1>(it->second));
+ if (ret != CKM_API_SUCCESS) {
+ LISTENER_SLOGE("removeApplicationData error. ret(%d)", ret);
+ }
+ eventMap->erase(it);
+ }
+ }
+
+ // zone can be "personal", "knox" or "host".
+ LISTENER_SLOGD("zone_name is (%s)", zone);
+
+ return 0;
+}
+
+int listener_main(GMainLoop *main_loop) {
+ LISTENER_SLOGD("Start!");
+
+ EventMap eventMap;
+ int req_id = 0;
+ pkgmgr_client *client = pkgmgr_client_new(PC_LISTENING);
+ if (client == NULL) {
+ LISTENER_SLOGE("Error in pkgmgr client creation");
+ return -1;
+ }
+
+ req_id = pkgmgr_client_listen_status_with_zone(client, _pkgmgr_event_callback, &eventMap);
+ if (req_id < 0) {
+ LISTENER_SLOGE("Error in pkgmgr callback registeration req_id(%d)", req_id);
+ pkgmgr_client_free(client);
+ return -1;
+ }
+
+ LISTENER_SLOGD("Ready to listen!");
+ g_main_loop_run(main_loop);
+ SLOG(LOG_ERROR, CKM_LISTENER_TAG, "%s", "Listener main loop ended.");
+ return 0;
+}
+
+} // namespace anonymous
+
+namespace CKM {
+
+ListenerThread::ListenerThread()
+{
+ main_loop = g_main_loop_new(NULL, FALSE);
+}
+
+void ListenerThread::start()
+{
+ SLOG(LOG_INFO, CKM_LISTENER_TAG, "%s", "Listener will start!");
+ std::thread thread(listener_main, main_loop);
+ thread.detach();
+}
+
+ListenerThread::~ListenerThread()
+{
+}
+
+
+} // namespace CKM
diff --git a/src/manager/main/smack-check.h b/src/manager/listener/listener-thread.h
index 942578b..657279e 100644
--- a/src/manager/main/smack-check.h
+++ b/src/manager/listener/listener-thread.h
@@ -1,9 +1,5 @@
/*
- * ckm-manager
- *
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
+ * Copyright (c) 2014 Samsung Electronics Co.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,27 +12,34 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License
+ *
+ *
+ * @file listener-thread.h
+ * @author Dongseon Lee(ds72.lee@samsung.com)
+ * @version 1.0
+ * @brief Listener thread header file.
*/
+#pragma once
+
+#include <glib.h>
-#ifndef _SMACK_CHECK_H_
-#define _SMACK_CHECK_H_
namespace CKM {
-/*
- * A very simple runtime check for SMACK on the platform
- * Returns 1 if SMACK is present, 0 otherwise
- */
+class ListenerThread
+{
+public:
+ ListenerThread();
+ ListenerThread(const ListenerThread &) = delete;
+ ListenerThread(ListenerThread &&) = delete;
+ ListenerThread& operator=(const ListenerThread &) = delete;
+ ListenerThread& operator=(ListenerThread &&) = delete;
+ virtual ~ListenerThread();
-int smack_runtime_check(void);
+ virtual void start();
-/*
- * A very simple runtime check for SMACK on the platform
- * Returns 1 if SMACK is present, 0 otherwise. If SMACK_ENABLED is not defined
- * It returns 0.
- */
-int smack_check(void);
+private:
+ GMainLoop *main_loop;
+};
} // namespace CKM
-
-#endif // _SMACK_CHECK_H_
diff --git a/src/manager/main/generic-socket-manager.h b/src/manager/main/generic-socket-manager.h
index 5d1521e..abd6260 100644
--- a/src/manager/main/generic-socket-manager.h
+++ b/src/manager/main/generic-socket-manager.h
@@ -45,7 +45,7 @@ namespace CKM {
typedef int InterfaceID;
struct Credentials {
- uid_t uid;
+ ClientID clientID;
Label smackLabel;
};
diff --git a/src/manager/main/key-manager-main.cpp b/src/manager/main/key-manager-main.cpp
index a92f8d3..930e053 100644
--- a/src/manager/main/key-manager-main.cpp
+++ b/src/manager/main/key-manager-main.cpp
@@ -38,6 +38,7 @@
#include <key-provider.h>
#include <CryptoService.h>
#include <file-system.h>
+#include <listener-thread.h>
#define REGISTER_SOCKET_SERVICE(manager, service) \
registerSocketService<service>(manager, #service)
@@ -97,12 +98,18 @@ int main(void) {
CKM::CryptoService::initialize();
{
- LogInfo("Start!");
+ LogInfo("Register socket services!");
CKM::SocketManager manager;
REGISTER_SOCKET_SERVICE(manager, CKM::CKMService);
REGISTER_SOCKET_SERVICE(manager, CKM::OCSPService);
+ // Start listener thread for listening app unstall events and vconf key change event
+ LogInfo("Start app event listening!");
+ CKM::ListenerThread listener;
+ listener.start();
+
+ LogInfo("Start socket services!");
manager.MainLoop();
}
// Manager has been destroyed and we may close external libraries.
diff --git a/src/manager/main/smack-check.cpp b/src/manager/main/smack-check.cpp
deleted file mode 100644
index ce7899a..0000000
--- a/src/manager/main/smack-check.cpp
+++ /dev/null
@@ -1,34 +0,0 @@
-#include <smack-check.h>
-
-#include <stdlib.h>
-#include <sys/smack.h>
-
-#include <dpl/log/log.h>
-
-namespace CKM {
-
-int smack_runtime_check(void)
-{
- static int smack_present = -1;
- if (-1 == smack_present) {
- if (NULL == smack_smackfs_path()) {
- LogDebug("no smack found on device");
- smack_present = 0;
- } else {
- LogDebug("found smack on device");
- smack_present = 1;
- }
- }
- return smack_present;
-}
-
-int smack_check(void)
-{
-#ifndef SMACK_ENABLED
- return 0;
-#else
- return smack_runtime_check();
-#endif
-}
-
-} // namespace CKM
diff --git a/src/manager/main/socket-manager.cpp b/src/manager/main/socket-manager.cpp
index 405add5..30acc9f 100644
--- a/src/manager/main/socket-manager.cpp
+++ b/src/manager/main/socket-manager.cpp
@@ -29,11 +29,9 @@
#include <sys/signalfd.h>
#include <sys/types.h>
#include <sys/socket.h>
-#include <sys/smack.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <unistd.h>
-#include <fcntl.h>
#include <signal.h>
#include <errno.h>
#include <time.h>
@@ -44,15 +42,14 @@
#include <dpl/log/log.h>
#include <dpl/assert.h>
-#include <smack-check.h>
+#include <ckm/ckm-client-info.h>
#include <socket-manager.h>
namespace {
-
const time_t SOCKET_TIMEOUT = 1000;
-int getCredentialsFromSocket(int sock, CKM::Credentials &cred) {
- CKM::Credentials credentials;
+int getCredentialsFromSocket(int sock, CKM::Credentials &cred, vsm_context_h &vsmCtx)
+{
std::vector<char> result(1);
socklen_t length = 1;
ucred peerCred;
@@ -80,10 +77,42 @@ int getCredentialsFromSocket(int sock, CKM::Credentials &cred) {
result.push_back('\0');
cred.smackLabel = result.data();
- cred.uid = peerCred.uid;
+ if (!vsmCtx) {
+ CKM::ClientInfo clientInfo(peerCred.uid);
+ cred.clientID = clientInfo.getClientID();
+ LogError("vsmCtx == NULL. ClientID[" << cred.clientID << "]");
+ } else {
+ vsm_zone_h _vsm_zone = vsm_lookup_zone_by_pid(vsmCtx, peerCred.pid);
+ if (!_vsm_zone) {
+ if (0 > vsm_cleanup_context(vsmCtx)) {
+ LogError("Failed to vsm_cleanup_context.");
+ } else if (!(vsmCtx = vsm_create_context())) {
+ LogError("Failed to vsm_create_context.");
+ return -1;
+ }
+ LogDebug("Recreate vsm context Success. vsm_lookup_zone_by_pid:[" << peerCred.pid << "] returned NULL");
+ _vsm_zone = vsm_lookup_zone_by_pid(vsmCtx, peerCred.pid);
+
+ if (!_vsm_zone) {
+ LogError("Failed. vsm_zone lookedup by pid:[" << peerCred.pid << "]");
+ vsm_cleanup_context(vsmCtx);
+ vsmCtx = NULL;
+ return -1;
+ }
+ LogDebug("Success. vsm_lookup_zone_by_pid:[" << peerCred.pid << "]");
+ }
+
+ // construct clientInfo with default zone
+ CKM::ClientInfo clientInfo(peerCred.uid);
+
+ if (!vsm_is_host_zone(_vsm_zone))
+ clientInfo = CKM::ClientInfo(std::string(vsm_get_zone_name(_vsm_zone)), peerCred.uid);
+
+ cred.clientID = clientInfo.getClientID();
+ LogDebug("sock[" << sock << "] clientID[" << cred.clientID << "]");
+ }
return 0;
}
-
} // namespace anonymous
namespace CKM {
@@ -172,6 +201,7 @@ SocketManager::CreateDefaultReadSocketDescription(int sock, bool timeout)
SocketManager::SocketManager()
: m_maxDesc(0)
, m_counter(0)
+ , m_vsmCtx(NULL)
{
FD_ZERO(&m_readSet);
FD_ZERO(&m_writeSet);
@@ -202,6 +232,8 @@ SocketManager::SocketManager()
desc2.service = signalService;
LogInfo("SignalService mounted on " << filefd << " descriptor");
}
+ m_vsmCtx = vsm_create_context();
+ // TODO: handle error
}
SocketManager::~SocketManager() {
@@ -239,7 +271,7 @@ void SocketManager::ReadyForAccept(int sock) {
}
Credentials peerCred;
- if (0 > getCredentialsFromSocket(client, peerCred)) {
+ if (0 > getCredentialsFromSocket(client, peerCred, m_vsmCtx)) {
LogDebug("Error in getCredentialsFromSocket. Socket closed.");
TEMP_FAILURE_RETRY(close(client));
return;
@@ -464,78 +496,20 @@ int SocketManager::GetSocketFromSystemD(
ThrowMsg(Exception::InitFailed, "Error in sd_listend_fds");
}
- for(fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START+n; ++fd) {
- if (0 < sd_is_socket_unix(fd, SOCK_STREAM, 1,
- desc.serviceHandlerPath.c_str(), 0))
- {
+ for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START+n; ++fd) {
+ if (0 < sd_is_socket_unix(fd, SOCK_STREAM, 1, desc.serviceHandlerPath.c_str(), 0)) {
LogInfo("Useable socket " << desc.serviceHandlerPath <<
" was passed by SystemD under descriptor " << fd);
+ if (m_vsmCtx) {
+ int ret = vsm_declare_link(m_vsmCtx, desc.serviceHandlerPath.c_str(), desc.serviceHandlerPath.c_str());
+ if (ret)
+ LogError("Failed to socket declare link: " << desc.serviceHandlerPath.c_str());
+ }
return fd;
}
}
- LogError("No useable sockets were passed by systemd.");
- return -1;
-}
-
-int SocketManager::CreateDomainSocketHelp(
- const GenericSocketService::ServiceDescription &desc)
-{
- int sockfd;
-
- if (-1 == (sockfd = socket(AF_UNIX, SOCK_STREAM, 0))) {
- int err = errno;
- LogError("Error in socket: " << GetErrnoString(err));
- ThrowMsg(Exception::InitFailed, "Error in socket: " << GetErrnoString(err));
- }
- if (smack_check()) {
- LogInfo("Set up smack label: " << desc.smackLabel);
-
- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) {
- LogError("Error in smack_fsetlabel");
- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel");
- }
- } else {
- LogInfo("No smack on platform. Socket won't be securied with smack label!");
- }
-
- int flags;
- if (-1 == (flags = fcntl(sockfd, F_GETFL, 0)))
- flags = 0;
-
- if (-1 == fcntl(sockfd, F_SETFL, flags | O_NONBLOCK)) {
- int err = errno;
- close(sockfd);
- LogError("Error in fcntl: " << GetErrnoString(err));
- ThrowMsg(Exception::InitFailed, "Error in fcntl: " << GetErrnoString(err));
- }
-
- sockaddr_un serverAddress;
- memset(&serverAddress, 0, sizeof(serverAddress));
- serverAddress.sun_family = AF_UNIX;
- strcpy(serverAddress.sun_path, desc.serviceHandlerPath.c_str());
- unlink(serverAddress.sun_path);
-
- mode_t originalUmask;
- originalUmask = umask(0);
-
- if (-1 == bind(sockfd, (struct sockaddr*)&serverAddress, sizeof(serverAddress))) {
- int err = errno;
- close(sockfd);
- LogError("Error in bind: " << GetErrnoString(err));
- ThrowMsg(Exception::InitFailed, "Error in bind: " << GetErrnoString(err));
- }
-
- umask(originalUmask);
-
- if (-1 == listen(sockfd, 5)) {
- int err = errno;
- close(sockfd);
- LogError("Error in listen: " << GetErrnoString(err));
- ThrowMsg(Exception::InitFailed, "Error in listen: " << GetErrnoString(err));
- }
-
- return sockfd;
+ ThrowMsg(Exception::GetSystemdSocketFailed, "No useable sockets were passed by systemd.");
}
void SocketManager::CreateDomainSocket(
@@ -543,8 +517,6 @@ void SocketManager::CreateDomainSocket(
const GenericSocketService::ServiceDescription &desc)
{
int sockfd = GetSocketFromSystemD(desc);
- if (-1 == sockfd)
- sockfd = CreateDomainSocketHelp(desc);
auto &description = CreateDefaultReadSocketDescription(sockfd, false);
@@ -556,7 +528,9 @@ void SocketManager::CreateDomainSocket(
" Handler: " << desc.serviceHandlerPath.c_str());
}
-void SocketManager::RegisterSocketService(GenericSocketService *service) {
+void SocketManager::RegisterSocketService(
+ GenericSocketService *service)
+{
service->SetSocketManager(this);
auto serviceVector = service->GetServiceDescription();
Try {
diff --git a/src/manager/main/socket-manager.h b/src/manager/main/socket-manager.h
index 978dbee..230a182 100644
--- a/src/manager/main/socket-manager.h
+++ b/src/manager/main/socket-manager.h
@@ -32,8 +32,9 @@
#include <mutex>
#include <thread>
-#include <dpl/exception.h>
+#include <vasum.h>
+#include <dpl/exception.h>
#include <generic-socket-manager.h>
namespace CKM {
@@ -44,6 +45,7 @@ public:
public:
DECLARE_EXCEPTION_TYPE(CKM::Exception, Base)
DECLARE_EXCEPTION_TYPE(Base, InitFailed)
+ DECLARE_EXCEPTION_TYPE(Base, GetSystemdSocketFailed)
};
SocketManager();
virtual ~SocketManager();
@@ -58,8 +60,6 @@ protected:
void CreateDomainSocket(
GenericSocketService *service,
const GenericSocketService::ServiceDescription &desc);
- int CreateDomainSocketHelp(
- const GenericSocketService::ServiceDescription &desc);
int GetSocketFromSystemD(
const GenericSocketService::ServiceDescription &desc);
@@ -119,6 +119,7 @@ protected:
int m_notifyMe[2];
int m_counter;
std::priority_queue<Timeout> m_timeoutQueue;
+ vsm_context_h m_vsmCtx;
};
} // namespace CKM
diff --git a/src/manager/service/CryptoService.cpp b/src/manager/service/CryptoService.cpp
index c57c840..15f5081 100644
--- a/src/manager/service/CryptoService.cpp
+++ b/src/manager/service/CryptoService.cpp
@@ -28,6 +28,8 @@
#define OPENSSL_SUCCESS 1 // DO NOTCHANGE THIS VALUE
#define OPENSSL_FAIL 0 // DO NOTCHANGE THIS VALUE
+#define RAND_READ_BYTES 32
+
namespace CKM {
CryptoService::CryptoService(){
@@ -38,30 +40,22 @@ CryptoService::~CryptoService(){
-int CryptoService::initialize() {
- int hw_rand_ret = 0;
- int u_rand_ret = 0;
-
+void CryptoService::initialize() {
// try to initialize using ERR_load_crypto_strings and OpenSSL_add_all_algorithms
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
// initialize entropy
std::ifstream ifile(DEV_HW_RANDOM_FILE);
- if(ifile.is_open()) {
- u_rand_ret= RAND_load_file(DEV_HW_RANDOM_FILE, 32);
- }
- if(u_rand_ret != 32 ){
- LogError("Error in HW_RAND file load");
- hw_rand_ret = RAND_load_file(DEV_URANDOM_FILE, 32);
- if(hw_rand_ret != 32) {
- LogError("Error in U_RAND_file_load");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in U_RAND_file_load");
- }
- }
-
- return CKM_CRYPTO_INIT_SUCCESS;
+ if (ifile.is_open()
+ && (RAND_READ_BYTES == RAND_load_file(DEV_HW_RANDOM_FILE, RAND_READ_BYTES)))
+ LogDebug("Success to read from [" << DEV_HW_RANDOM_FILE << "]");
+ else if (RAND_READ_BYTES == RAND_load_file(DEV_URANDOM_FILE, RAND_READ_BYTES))
+ LogDebug("Success to read from [" << DEV_URANDOM_FILE << "]");
+ else
+ ThrowMsg(CryptoService::Exception::Crypto_internal,
+ "Error in U_RAND_file_load");
}
const EVP_MD *CryptoService::getMdAlgo(const HashAlgorithm hashAlgo) {
@@ -188,111 +182,111 @@ int CryptoService::createKeyPairRSA(const int size, // size in bits [1024, 2048,
int CryptoService::createKeyPairDSA(const int size, // size in bits [1024, 2048, 3072, 4096]
- KeyImpl &createdPrivateKey, // returned value
- KeyImpl &createdPublicKey) // returned value
+ KeyImpl &createdPrivateKey, // returned value
+ KeyImpl &createdPublicKey) // returned value
{
- EVP_PKEY_CTX *pctx = NULL;
- EVP_PKEY_CTX *kctx = NULL;
- EVP_PKEY *pkey = NULL;
- EVP_PKEY *pparam = NULL;
-
- // check the parameters of functions
- if(size != 1024 && size !=2048 && size !=3072 && size != 4096) {
- LogError("Error in DSA input size");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in DSA input size");
- }
-
- // check the parameters of functions
- if(&createdPrivateKey == NULL) {
- LogError("Error in createdPrivateKey value");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in createdPrivateKey value");
- }
-
- // check the parameters of functions
- if(&createdPublicKey == NULL) {
- LogError("Error in createdPrivateKey value");
- ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in createdPublicKey value");
- }
-
- Try {
- /* Create the context for generating the parameters */
- if(!(pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, NULL))) {
- LogError("Error in EVP_PKEY_CTX_new_id function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_new_id function");
- }
-
- if(EVP_SUCCESS != EVP_PKEY_paramgen_init(pctx)) {
- LogError("Error in EVP_PKEY_paramgen_init function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_paramgen_init function");
- }
-
- if(EVP_SUCCESS != EVP_PKEY_CTX_set_dsa_paramgen_bits(pctx, size)) {
- LogError("Error in EVP_PKEY_CTX_set_dsa_paramgen_bits(" << size << ") function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_set_dsa_paramgen_bits(" << size << ") function");
- }
-
- /* Generate parameters */
- if(EVP_SUCCESS != EVP_PKEY_paramgen(pctx, &pparam)) {
- LogError("Error in EVP_PKEY_paramgen function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_paramgen function");
- }
-
- // Start to generate key
- if(!(kctx = EVP_PKEY_CTX_new(pparam, NULL))) {
- LogError("Error in EVP_PKEY_CTX_new function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_new function");
- }
-
- if(EVP_SUCCESS != EVP_PKEY_keygen_init(kctx)) {
- LogError("Error in EVP_PKEY_keygen_init function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_keygen_init function");
- }
-
- /* Generate the key */
- if(EVP_SUCCESS != EVP_PKEY_keygen(kctx, &pkey)) {
- LogError("Error in EVP_PKEY_keygen function");
- ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_keygen function");
- }
- }
- Catch(CryptoService::Exception::opensslError)
- {
- if(pkey) {
- EVP_PKEY_free(pkey);
- }
-
- if(pparam) {
- EVP_PKEY_free(pparam);
- }
-
- if(pctx) {
- EVP_PKEY_CTX_free(pctx);
- }
-
- if(kctx) {
- EVP_PKEY_CTX_free(kctx);
- }
-
- ReThrowMsg(CryptoService::Exception::opensslError,"Error in openssl function !!");
- }
-
- KeyImpl::EvpShPtr ptr(pkey, EVP_PKEY_free); // shared ptr will free pkey
-
- createdPrivateKey = KeyImpl(ptr, KeyType::KEY_DSA_PRIVATE);
- createdPublicKey = KeyImpl(ptr, KeyType::KEY_DSA_PUBLIC);
-
- if(pparam) {
- EVP_PKEY_free(pparam);
- }
-
- if(pctx) {
- EVP_PKEY_CTX_free(pctx);
- }
-
- if(kctx) {
- EVP_PKEY_CTX_free(kctx);
- }
-
- return CKM_CRYPTO_CREATEKEY_SUCCESS;
+ EVP_PKEY_CTX *pctx = NULL;
+ EVP_PKEY_CTX *kctx = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY *pparam = NULL;
+
+ // check the parameters of functions
+ if(size != 1024 && size !=2048 && size !=3072 && size != 4096) {
+ LogError("Error in DSA input size");
+ ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in DSA input size");
+ }
+
+ // check the parameters of functions
+ if(&createdPrivateKey == NULL) {
+ LogError("Error in createdPrivateKey value");
+ ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in createdPrivateKey value");
+ }
+
+ // check the parameters of functions
+ if(&createdPublicKey == NULL) {
+ LogError("Error in createdPrivateKey value");
+ ThrowMsg(CryptoService::Exception::Crypto_internal, "Error in createdPublicKey value");
+ }
+
+ Try {
+ /* Create the context for generating the parameters */
+ if(!(pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, NULL))) {
+ LogError("Error in EVP_PKEY_CTX_new_id function");
+ ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_new_id function");
+ }
+
+ if(EVP_SUCCESS != EVP_PKEY_paramgen_init(pctx)) {
+ LogError("Error in EVP_PKEY_paramgen_init function");
+ ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_paramgen_init function");
+ }
+
+ if(EVP_SUCCESS != EVP_PKEY_CTX_set_dsa_paramgen_bits(pctx, size)) {
+ LogError("Error in EVP_PKEY_CTX_set_dsa_paramgen_bits(" << size << ") function");
+ ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_set_dsa_paramgen_bits(" << size << ") function");
+ }
+
+ /* Generate parameters */
+ if(EVP_SUCCESS != EVP_PKEY_paramgen(pctx, &pparam)) {
+ LogError("Error in EVP_PKEY_paramgen function");
+ ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_paramgen function");
+ }
+
+ // Start to generate key
+ if(!(kctx = EVP_PKEY_CTX_new(pparam, NULL))) {
+ LogError("Error in EVP_PKEY_CTX_new function");
+ ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_CTX_new function");
+ }
+
+ if(EVP_SUCCESS != EVP_PKEY_keygen_init(kctx)) {
+ LogError("Error in EVP_PKEY_keygen_init function");
+ ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_keygen_init function");
+ }
+
+ /* Generate the key */
+ if(EVP_SUCCESS != EVP_PKEY_keygen(kctx, &pkey)) {
+ LogError("Error in EVP_PKEY_keygen function");
+ ThrowMsg(CryptoService::Exception::opensslError, "Error in EVP_PKEY_keygen function");
+ }
+ }
+ Catch(CryptoService::Exception::opensslError)
+ {
+ if(pkey) {
+ EVP_PKEY_free(pkey);
+ }
+
+ if(pparam) {
+ EVP_PKEY_free(pparam);
+ }
+
+ if(pctx) {
+ EVP_PKEY_CTX_free(pctx);
+ }
+
+ if(kctx) {
+ EVP_PKEY_CTX_free(kctx);
+ }
+
+ ReThrowMsg(CryptoService::Exception::opensslError,"Error in openssl function !!");
+ }
+
+ KeyImpl::EvpShPtr ptr(pkey, EVP_PKEY_free); // shared ptr will free pkey
+
+ createdPrivateKey = KeyImpl(ptr, KeyType::KEY_DSA_PRIVATE);
+ createdPublicKey = KeyImpl(ptr, KeyType::KEY_DSA_PUBLIC);
+
+ if(pparam) {
+ EVP_PKEY_free(pparam);
+ }
+
+ if(pctx) {
+ EVP_PKEY_CTX_free(pctx);
+ }
+
+ if(kctx) {
+ EVP_PKEY_CTX_free(kctx);
+ }
+
+ return CKM_CRYPTO_CREATEKEY_SUCCESS;
}
diff --git a/src/manager/service/CryptoService.h b/src/manager/service/CryptoService.h
index 6828ddb..3ab24c2 100644
--- a/src/manager/service/CryptoService.h
+++ b/src/manager/service/CryptoService.h
@@ -23,7 +23,6 @@
#define EVP_SUCCESS 1 // DO NOTCHANGE THIS VALUE
#define EVP_FAIL 0 // DO NOTCHANGE THIS VALUE
-#define CKM_CRYPTO_INIT_SUCCESS 1
#define CKM_CRYPTO_CREATEKEY_SUCCESS 2
#define CKM_VERIFY_CHAIN_SUCCESS 5
#define NOT_DEFINED -1
@@ -48,7 +47,7 @@ public:
// And system certificates are loaded in the memory during initialization.
// FIPS_MODE - ON, OFF(Default)
// antropy source - /dev/random,/dev/urandom(Default)
- static int initialize();
+ static void initialize();
static int createKeyPairRSA(const int size, // size in bits [1024, 2048, 4096]
KeyImpl &createdPrivateKey, // returned value ==> Key &createdPrivateKey,
diff --git a/src/manager/service/access-control.cpp b/src/manager/service/access-control.cpp
index 009e7f6..356cd97 100644
--- a/src/manager/service/access-control.cpp
+++ b/src/manager/service/access-control.cpp
@@ -30,9 +30,7 @@ namespace CKM {
void AccessControl::updateCCMode() {
int fipsModeStatus = 0;
int rc = 0;
- bool newMode;
-
- newMode = false;
+ bool newMode = false;
if (newMode == m_ccMode)
return;
@@ -41,17 +39,17 @@ void AccessControl::updateCCMode() {
fipsModeStatus = FIPS_mode();
- if(m_ccMode) {
- if(fipsModeStatus == 0) { // If FIPS mode off
+ if (m_ccMode) {
+ if (fipsModeStatus == 0) { // If FIPS mode off
rc = FIPS_mode_set(1); // Change FIPS_mode from off to on
- if(rc == 0) {
+ if (rc == 0) {
LogError("Error in FIPS_mode_set function");
}
}
} else {
- if(fipsModeStatus == 1) { // If FIPS mode on
+ if (fipsModeStatus == 1) { // If FIPS mode on
rc = FIPS_mode_set(0); // Change FIPS_mode from on to off
- if(rc == 0) {
+ if (rc == 0) {
LogError("Error in FIPS_mode_set function");
}
}
diff --git a/src/manager/service/certificate-store.cpp b/src/manager/service/certificate-store.cpp
index 565f4fd..47e0be6 100644
--- a/src/manager/service/certificate-store.cpp
+++ b/src/manager/service/certificate-store.cpp
@@ -111,6 +111,8 @@ int CertificateStore::verifyCertificate(
switch (result) {
case 0:
+ ret = X509_STORE_CTX_get_error(csc.get());
+ LogError("verify error[" << ret << "]: " << X509_verify_cert_error_string(ret));
return CKM_API_ERROR_VERIFICATION_FAILED;
case 1:
return CKM_API_SUCCESS;
diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp
index b324a20..e3b4544 100644
--- a/src/manager/service/ckm-logic.cpp
+++ b/src/manager/service/ckm-logic.cpp
@@ -60,20 +60,40 @@ CKMLogic::CKMLogic()
CKMLogic::~CKMLogic(){}
-void CKMLogic::loadDKEKFile(uid_t user, const Password &password, bool apiReq) {
- auto &handle = m_userDataMap[user];
+void CKMLogic::loadDKEKFile(
+ const ClientID &clientID,
+ const Password &password,
+ bool apiReq)
+{
+ auto &handle = m_userDataMap[clientID];
- FileSystem fs(user);
+ FileSystem fs(clientID);
auto wrappedDKEKMain = fs.getDKEK();
auto wrappedDKEKBackup = fs.getDKEKBackup();
+#ifdef PASSWORD_PROTECTION_DISABLE
+ if (wrappedDKEKMain.empty()) {
+ wrappedDKEKMain = KeyProvider::generateDomainKEK(clientID, Password(""));
+ fs.saveDKEK(wrappedDKEKMain);
+ }
+
+ try{
+ chooseDKEKFile(handle, Password(""), wrappedDKEKMain, wrappedDKEKBackup);
+ } catch (const KeyProvider::Exception::Base &e) {
+ chooseDKEKFile(handle, password, wrappedDKEKMain, wrappedDKEKBackup);
+ fs.saveDKEK(handle.keyProvider.getWrappedDomainKEK(Password("")));
+ handle.isMainDKEK = true;
+ LogInfo("Password Protected DB was migrated to Password Protection Disabled DB.");
+ }
+#else
if (wrappedDKEKMain.empty()) {
- wrappedDKEKMain = KeyProvider::generateDomainKEK(std::to_string(user), password);
+ wrappedDKEKMain = KeyProvider::generateDomainKEK(clientID, password);
fs.saveDKEK(wrappedDKEKMain);
}
chooseDKEKFile(handle, password, wrappedDKEKMain, wrappedDKEKBackup);
+#endif
if (!password.empty() || apiReq) {
handle.isDKEKConfirmed = true;
@@ -103,10 +123,10 @@ void CKMLogic::chooseDKEKFile(
}
}
-void CKMLogic::saveDKEKFile(uid_t user, const Password &password) {
- auto &handle = m_userDataMap[user];
+void CKMLogic::saveDKEKFile(const ClientID &clientID, const Password &password) {
+ auto &handle = m_userDataMap[clientID];
- FileSystem fs(user);
+ FileSystem fs(clientID);
if (handle.isMainDKEK)
fs.createDKEKBackup();
@@ -116,20 +136,24 @@ void CKMLogic::saveDKEKFile(uid_t user, const Password &password) {
handle.isDKEKConfirmed = false;
}
-RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password, bool apiRequest) {
+RawBuffer CKMLogic::unlockUserKey(
+ const ClientID &clientID,
+ const Password &password,
+ bool apiRequest)
+{
int retCode = CKM_API_SUCCESS;
try {
- if (0 == m_userDataMap.count(user) || !(m_userDataMap[user].keyProvider.isInitialized())) {
- auto &handle = m_userDataMap[user];
- FileSystem fs(user);
+ if (0 == m_userDataMap.count(clientID) || !(m_userDataMap[clientID].keyProvider.isInitialized())) {
+ auto &handle = m_userDataMap[clientID];
+ FileSystem fs(clientID);
- loadDKEKFile(user, password, apiRequest);
+ loadDKEKFile(clientID, password, apiRequest);
auto wrappedDatabaseDEK = fs.getDBDEK();
if (wrappedDatabaseDEK.empty()) {
- wrappedDatabaseDEK = handle.keyProvider.generateDEK(std::to_string(user));
+ wrappedDatabaseDEK = handle.keyProvider.generateDEK(clientID);
fs.saveDBDEK(wrappedDatabaseDEK);
}
@@ -140,11 +164,12 @@ RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password, bool api
// remove data of removed apps during locked state
AppLabelVector removedApps = fs.clearRemovedsApps();
for(auto& appSmackLabel : removedApps) {
+ handle.crypto.removeKey(appSmackLabel);
handle.database.deleteKey(appSmackLabel);
}
- } else if (apiRequest == true && m_userDataMap[user].isDKEKConfirmed == false) {
+ } else if (apiRequest == true && m_userDataMap[clientID].isDKEKConfirmed == false) {
// now we will try to choose the DKEK key and remove old one
- loadDKEKFile(user, password, apiRequest);
+ loadDKEKFile(clientID, password, apiRequest);
}
} catch (const KeyProvider::Exception::PassWordError &e) {
LogError("Incorrect Password " << e.GetMessage());
@@ -166,7 +191,7 @@ RawBuffer CKMLogic::unlockUserKey(uid_t user, const Password &password, bool api
if(retCode != CKM_API_SUCCESS) {
// When not successful, UserData in m_userDataMap should be erased.
// Because other operations make decision based on the existence of UserData in m_userDataMap.
- m_userDataMap.erase(user);
+ m_userDataMap.erase(clientID);
}
return MessageBuffer::Serialize(retCode).Pop();
@@ -177,35 +202,47 @@ RawBuffer CKMLogic::updateCCMode() {
return MessageBuffer::Serialize(CKM_API_SUCCESS).Pop();
}
-RawBuffer CKMLogic::lockUserKey(uid_t user) {
+RawBuffer CKMLogic::lockUserKey(const ClientID &clientID) {
int retCode = CKM_API_SUCCESS;
// TODO try catch for all errors that should be supported by error code
- m_userDataMap.erase(user);
+
+#ifdef PASSWORD_PROTECTION_DISABLE
+ (void) clientID;
+#else
+ m_userDataMap.erase(clientID);
+#endif
return MessageBuffer::Serialize(retCode).Pop();
}
-RawBuffer CKMLogic::removeUserData(uid_t user) {
+RawBuffer CKMLogic::removeUserData(const ClientID &clientID) {
int retCode = CKM_API_SUCCESS;
// TODO try catch for all errors that should be supported by error code
- m_userDataMap.erase(user);
- FileSystem fs(user);
+ m_userDataMap.erase(clientID);
+
+ FileSystem fs(clientID);
fs.removeUserData();
return MessageBuffer::Serialize(retCode).Pop();
}
RawBuffer CKMLogic::changeUserPassword(
- uid_t user,
+ const ClientID &clientID,
const Password &oldPassword,
const Password &newPassword)
{
int retCode = CKM_API_SUCCESS;
+
+#ifdef PASSWORD_PROTECTION_DISABLE
+ (void) clientID;
+ (void) oldPassword;
+ (void) newPassword;
+#else
try {
- loadDKEKFile(user, oldPassword, true);
- saveDKEKFile(user, newPassword);
+ loadDKEKFile(clientID, oldPassword, true);
+ saveDKEKFile(clientID, newPassword);
} catch (const KeyProvider::Exception::PassWordError &e) {
LogError("Incorrect Password " << e.GetMessage());
retCode = CKM_API_ERROR_AUTHENTICATION_FAILED;
@@ -219,25 +256,29 @@ RawBuffer CKMLogic::changeUserPassword(
LogError("CKM::Exception: " << e.GetMessage());
retCode = CKM_API_ERROR_SERVER_ERROR;
}
+#endif
return MessageBuffer::Serialize(retCode).Pop();
}
RawBuffer CKMLogic::resetUserPassword(
- uid_t user,
+ const ClientID &clientID,
const Password &newPassword)
{
int retCode = CKM_API_SUCCESS;
-
+#ifdef PASSWORD_PROTECTION_DISABLE
+ (void) clientID;
+ (void) newPassword;
+#else
try {
- if (0 == m_userDataMap.count(user)) {
+ if (0 == m_userDataMap.count(clientID)) {
// Check if key exists. If exists we must return error
- FileSystem fs(user);
+ FileSystem fs(clientID);
auto wrappedDKEKMain = fs.getDKEK();
if (!wrappedDKEKMain.empty())
retCode = CKM_API_ERROR_BAD_REQUEST;
} else {
- saveDKEKFile(user, newPassword);
+ saveDKEKFile(clientID, newPassword);
}
} catch (const FileSystem::Exception::Base &e) {
LogError("Error in FileSystem " << e.GetMessage());
@@ -246,30 +287,30 @@ RawBuffer CKMLogic::resetUserPassword(
LogError("CKM::Exception: " << e.GetMessage());
retCode = CKM_API_ERROR_SERVER_ERROR;
}
+#endif
return MessageBuffer::Serialize(retCode).Pop();
}
-RawBuffer CKMLogic::removeApplicationData(const Label &smackLabel) {
+RawBuffer CKMLogic::removeApplicationData(const std::string &zone, const Label &smackLabel) {
int retCode = CKM_API_SUCCESS;
try {
-
if (smackLabel.empty()) {
retCode = CKM_API_ERROR_INPUT_PARAM;
} else {
- UidVector uids = FileSystem::getUIDsFromDBFile();
- for (auto userId : uids) {
- if (0 == m_userDataMap.count(userId)) {
- FileSystem fs(userId);
+ ClientIDVector clientIDVec = FileSystem::getClientIDsFromDBFile(zone);
+ for (auto clientID : clientIDVec) {
+ if (0 == m_userDataMap.count(clientID)) {
+ FileSystem fs(clientID);
fs.addRemovedApp(smackLabel);
} else {
- auto &handle = m_userDataMap[userId];
+ auto &handle = m_userDataMap[clientID];
+ handle.crypto.removeKey(smackLabel);
handle.database.deleteKey(smackLabel);
}
}
}
-
} catch (const DB::Crypto::Exception::InternalError &e) {
LogError("DB::Crypto couldn't remove data: " << e.GetMessage());
retCode = CKM_API_ERROR_DB_ERROR;
@@ -298,7 +339,6 @@ int CKMLogic::checkSaveConditions(
LogWarning("Invalid parameter passed to key-manager");
return CKM_API_ERROR_INPUT_PARAM;
}
-
// check if allowed to save using ownerLabel
int access_ec = m_accessControl.canSave(ownerLabel, cred.smackLabel);
if(access_ec != CKM_API_SUCCESS)
@@ -387,7 +427,7 @@ RawBuffer CKMLogic::saveData(
const PolicySerializable &policy)
{
int retCode;
- if (0 == m_userDataMap.count(cred.uid))
+ if (0 == m_userDataMap.count(cred.clientID))
retCode = CKM_API_ERROR_DB_LOCKED;
else
{
@@ -481,7 +521,7 @@ RawBuffer CKMLogic::savePKCS12(
const PolicySerializable &certPolicy)
{
int retCode;
- if (0 == m_userDataMap.count(cred.uid))
+ if (0 == m_userDataMap.count(cred.clientID))
retCode = CKM_API_ERROR_DB_LOCKED;
else
{
@@ -517,7 +557,7 @@ int CKMLogic::removeDataHelper(
const Name &name,
const Label &ownerLabel)
{
- if (0 == m_userDataMap.count(cred.uid))
+ if (0 == m_userDataMap.count(cred.clientID))
return CKM_API_ERROR_DB_LOCKED;
if (!isNameValid(name) || !isLabelValid(ownerLabel)) {
@@ -525,7 +565,7 @@ int CKMLogic::removeDataHelper(
return CKM_API_ERROR_INPUT_PARAM;
}
- auto &database = m_userDataMap[cred.uid].database;
+ auto &database = m_userDataMap[cred.clientID].database;
DB::Crypto::Transaction transaction(&database);
// read and check permissions
@@ -584,14 +624,14 @@ int CKMLogic::readSingleRow(const Name &name,
{
// read all key types
row_optional = database.getRow(name,
- ownerLabel,
- DataType::DB_KEY_FIRST,
- DataType::DB_KEY_LAST);
+ ownerLabel,
+ DataType::DB_KEY_FIRST,
+ DataType::DB_KEY_LAST);
} else {
// read anything else
row_optional = database.getRow(name,
- ownerLabel,
- dataType);
+ ownerLabel,
+ dataType);
}
if(!row_optional) {
@@ -604,7 +644,6 @@ int CKMLogic::readSingleRow(const Name &name,
return CKM_API_SUCCESS;
}
-
int CKMLogic::readMultiRow(const Name &name,
const Label &ownerLabel,
DataType dataType,
@@ -615,31 +654,35 @@ int CKMLogic::readMultiRow(const Name &name,
{
// read all key types
database.getRows(name,
- ownerLabel,
- DataType::DB_KEY_FIRST,
- DataType::DB_KEY_LAST,
- output);
+ ownerLabel,
+ DataType::DB_KEY_FIRST,
+ DataType::DB_KEY_LAST,
+ output);
}
else if (dataType.isChainCert())
{
// read all key types
database.getRows(name,
- ownerLabel,
- DataType::DB_CHAIN_FIRST,
- DataType::DB_CHAIN_LAST,
- output);
+ ownerLabel,
+ DataType::DB_CHAIN_FIRST,
+ DataType::DB_CHAIN_LAST,
+ output);
}
else
{
// read anything else
database.getRows(name,
- ownerLabel,
- dataType,
- output);
+ ownerLabel,
+ dataType,
+ output);
}
if(!output.size()) {
- LogError("No row for given name, label and type");
+ /*
+ * readMultiRow is only used to get row which cannot exist
+ * So, it shouldn't print error log
+ */
+ LogDebug("No row for given name, label and type");
return CKM_API_ERROR_DB_ALIAS_UNKNOWN;
}
@@ -670,7 +713,7 @@ int CKMLogic::readDataHelper(
const Password &password,
DB::RowVector &rows)
{
- if (0 == m_userDataMap.count(cred.uid))
+ if (0 == m_userDataMap.count(cred.clientID))
return CKM_API_ERROR_DB_LOCKED;
// use client label if not explicitly provided
@@ -679,7 +722,7 @@ int CKMLogic::readDataHelper(
if (!isNameValid(name) || !isLabelValid(ownerLabel))
return CKM_API_ERROR_INPUT_PARAM;
- auto &handler = m_userDataMap[cred.uid];
+ auto &handler = m_userDataMap[cred.clientID];
// read rows
DB::Crypto::Transaction transaction(&handler.database);
@@ -722,7 +765,7 @@ int CKMLogic::readDataHelper(
const Password &password,
DB::Row &row)
{
- if (0 == m_userDataMap.count(cred.uid))
+ if (0 == m_userDataMap.count(cred.clientID))
return CKM_API_ERROR_DB_LOCKED;
// use client label if not explicitly provided
@@ -731,7 +774,7 @@ int CKMLogic::readDataHelper(
if (!isNameValid(name) || !isLabelValid(ownerLabel))
return CKM_API_ERROR_INPUT_PARAM;
- auto &handler = m_userDataMap[cred.uid];
+ auto &handler = m_userDataMap[cred.clientID];
// read row
DB::Crypto::Transaction transaction(&handler.database);
@@ -900,8 +943,8 @@ RawBuffer CKMLogic::getDataList(
int retCode = CKM_API_SUCCESS;
LabelNameVector labelNameVector;
- if (0 < m_userDataMap.count(cred.uid)) {
- auto &database = m_userDataMap[cred.uid].database;
+ if (0 < m_userDataMap.count(cred.clientID)) {
+ auto &database = m_userDataMap[cred.clientID].database;
Try {
if (dataType.isKey()) {
@@ -941,7 +984,7 @@ int CKMLogic::saveDataHelper(
const RawBuffer &data,
const PolicySerializable &policy)
{
- auto &handler = m_userDataMap[cred.uid];
+ auto &handler = m_userDataMap[cred.clientID];
// use client label if not explicitly provided
const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
@@ -968,7 +1011,7 @@ int CKMLogic::saveDataHelper(
const PolicySerializable &keyPolicy,
const PolicySerializable &certPolicy)
{
- auto &handler = m_userDataMap[cred.uid];
+ auto &handler = m_userDataMap[cred.clientID];
// use client label if not explicitly provided
const Label &ownerLabel = label.empty() ? cred.smackLabel : label;
@@ -1004,7 +1047,7 @@ int CKMLogic::createKeyPairHelper(
const PolicySerializable &policyPrivate,
const PolicySerializable &policyPublic)
{
- if (0 == m_userDataMap.count(cred.uid))
+ if (0 == m_userDataMap.count(cred.clientID))
return CKM_API_ERROR_DB_LOCKED;
KeyImpl prv, pub;
@@ -1036,7 +1079,7 @@ int CKMLogic::createKeyPairHelper(
return CKM_API_ERROR_SERVER_ERROR; // TODO error code
}
- auto &database = m_userDataMap[cred.uid].database;
+ auto &database = m_userDataMap[cred.clientID].database;
DB::Crypto::Transaction transaction(&database);
retCode = saveDataHelper(cred,
@@ -1249,7 +1292,8 @@ RawBuffer CKMLogic::getCertificateChain(
auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_CHAIN_CERT),
commandId,
retCode,
- chainRawVector);
+ chainRawVector,
+ m_accessControl.isCCMode());
return response.Pop();
}
@@ -1290,7 +1334,8 @@ RawBuffer CKMLogic::getCertificateChain(
auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_CHAIN_ALIAS),
commandId,
retCode,
- chainRawVector);
+ chainRawVector,
+ m_accessControl.isCCMode());
return response.Pop();
}
@@ -1360,22 +1405,46 @@ RawBuffer CKMLogic::verifySignature(
try {
do {
CryptoService cs;
+ DB::RowVector rowVec;
DB::Row row;
KeyImpl key;
// try certificate first - looking for a public key.
// in case of PKCS, pub key from certificate will be found first
// rather than private key from the same PKCS.
- retCode = readDataHelper(false, cred, DataType::CERTIFICATE, publicKeyOrCertName, ownerLabel, password, row);
- if (retCode == CKM_API_SUCCESS) {
- CertificateImpl cert(row.data, DataFormat::FORM_DER);
+ retCode = readDataHelper(
+ false,
+ cred,
+ DataType::CERTIFICATE,
+ publicKeyOrCertName,
+ ownerLabel,
+ password,
+ rowVec);
+
+ // output cannot be more than 1
+ if (rowVec.size() > 1) {
+ ThrowMsg(CKM::Exception,
+ "More than one certificate mapped to a label[" << ownerLabel << "]");
+ }
+ else if (retCode == CKM_API_SUCCESS && rowVec.size() == 1) {
+ CertificateImpl cert(rowVec[0].data, DataFormat::FORM_DER);
key = cert.getKeyImpl();
- } else if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN) {
- retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, publicKeyOrCertName, ownerLabel, password, row);
+ }
+ else if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN && rowVec.size() == 0) {
+ retCode = readDataHelper(
+ false,
+ cred,
+ DataType::DB_KEY_FIRST,
+ publicKeyOrCertName,
+ ownerLabel,
+ password,
+ row);
+
if (retCode != CKM_API_SUCCESS)
break;
key = KeyImpl(row.data);
- } else {
+ }
+ else {
break;
}
@@ -1441,11 +1510,10 @@ int CKMLogic::setPermissionHelper(
int access_ec = m_accessControl.canModify(ownerLabel, cred.smackLabel);
if(access_ec != CKM_API_SUCCESS)
return access_ec;
-
- if (0 == m_userDataMap.count(cred.uid))
+ if (0 == m_userDataMap.count(cred.clientID))
return CKM_API_ERROR_DB_LOCKED;
- auto &database = m_userDataMap[cred.uid].database;
+ auto &database = m_userDataMap[cred.clientID].database;
DB::Crypto::Transaction transaction(&database);
if( !database.isNameLabelPresent(name, ownerLabel) )
diff --git a/src/manager/service/ckm-logic.h b/src/manager/service/ckm-logic.h
index 912f44c..dc66322 100644
--- a/src/manager/service/ckm-logic.h
+++ b/src/manager/service/ckm-logic.h
@@ -59,22 +59,23 @@ public:
CKMLogic& operator=(CKMLogic &&) = delete;
virtual ~CKMLogic();
- RawBuffer unlockUserKey(uid_t user, const Password &password, bool apiRequest = true);
+ RawBuffer unlockUserKey(const ClientID &clientID, const Password &password, bool apiRequest = true);
- RawBuffer lockUserKey(uid_t user);
+ RawBuffer lockUserKey(const ClientID &clientID);
- RawBuffer removeUserData(uid_t user);
+ RawBuffer removeUserData(const ClientID &clientID);
RawBuffer changeUserPassword(
- uid_t user,
+ const ClientID &clientID,
const Password &oldPassword,
const Password &newPassword);
RawBuffer resetUserPassword(
- uid_t user,
+ const ClientID &clientID,
const Password &newPassword);
RawBuffer removeApplicationData(
+ const std::string &zone,
const Label &smackLabel);
RawBuffer saveData(
@@ -185,7 +186,7 @@ public:
private:
void loadDKEKFile(
- uid_t user,
+ const ClientID &clientID,
const Password &password,
bool apiReq);
@@ -196,7 +197,7 @@ private:
const RawBuffer &second);
void saveDKEKFile(
- uid_t user,
+ const ClientID &clientID,
const Password &password);
int verifyBinaryData(
@@ -335,7 +336,7 @@ private:
const PermissionMask permissionMask);
- std::map<uid_t, UserData> m_userDataMap;
+ std::map<ClientID, UserData> m_userDataMap;
AccessControl m_accessControl;
//FileLock m_lock;
};
diff --git a/src/manager/service/ckm-service.cpp b/src/manager/service/ckm-service.cpp
index 79c08d7..6c99c36 100644
--- a/src/manager/service/ckm-service.cpp
+++ b/src/manager/service/ckm-service.cpp
@@ -111,7 +111,7 @@ bool CKMService::processOne(
RawBuffer CKMService::processControl(MessageBuffer &buffer) {
int command = 0;
- uid_t user = 0;
+ ClientID clientID;
ControlCommand cc;
Password newPass, oldPass;
Label smackLabel;
@@ -124,25 +124,26 @@ RawBuffer CKMService::processControl(MessageBuffer &buffer) {
switch(cc) {
case ControlCommand::UNLOCK_USER_KEY:
- buffer.Deserialize(user, newPass);
- return m_logic->unlockUserKey(user, newPass);
+ buffer.Deserialize(clientID, newPass);
+ return m_logic->unlockUserKey(clientID, newPass);
case ControlCommand::LOCK_USER_KEY:
- buffer.Deserialize(user);
- return m_logic->lockUserKey(user);
+ buffer.Deserialize(clientID);
+ return m_logic->lockUserKey(clientID);
case ControlCommand::REMOVE_USER_DATA:
- buffer.Deserialize(user);
- return m_logic->removeUserData(user);
+ buffer.Deserialize(clientID);
+ return m_logic->removeUserData(clientID);
case ControlCommand::CHANGE_USER_PASSWORD:
- buffer.Deserialize(user, oldPass, newPass);
- return m_logic->changeUserPassword(user, oldPass, newPass);
+ buffer.Deserialize(clientID, oldPass, newPass);
+ return m_logic->changeUserPassword(clientID, oldPass, newPass);
case ControlCommand::RESET_USER_PASSWORD:
- buffer.Deserialize(user, newPass);
- return m_logic->resetUserPassword(user, newPass);
+ buffer.Deserialize(clientID, newPass);
+ return m_logic->resetUserPassword(clientID, newPass);
case ControlCommand::REMOVE_APP_DATA:
- buffer.Deserialize(smackLabel);
- return m_logic->removeApplicationData(smackLabel);
- case ControlCommand::UPDATE_CC_MODE:
- return m_logic->updateCCMode();
+ {
+ std::string zone;
+ buffer.Deserialize(zone, smackLabel);
+ return m_logic->removeApplicationData(zone, smackLabel);
+ }
case ControlCommand::SET_PERMISSION:
{
Name name;
@@ -150,8 +151,8 @@ RawBuffer CKMService::processControl(MessageBuffer &buffer) {
Label accessorLabel;
PermissionMask permissionMask = 0;
- buffer.Deserialize(user, name, label, accessorLabel, permissionMask);
- Credentials cred = { user, label };
+ buffer.Deserialize(clientID, name, label, accessorLabel, permissionMask);
+ Credentials cred = { clientID, label };
return m_logic->setPermission(
cred,
command,
@@ -161,6 +162,8 @@ RawBuffer CKMService::processControl(MessageBuffer &buffer) {
accessorLabel,
permissionMask);
}
+ case ControlCommand::UPDATE_CC_MODE:
+ return m_logic->updateCCMode();
default:
Throw(Exception::BrokenProtocol);
}
@@ -173,7 +176,6 @@ RawBuffer CKMService::processStorage(Credentials &cred, MessageBuffer &buffer)
int tmpDataType = 0;
Name name;
Label label, accessorLabel;
- std::string user;
buffer.Deserialize(command);
buffer.Deserialize(msgID);
@@ -184,7 +186,7 @@ RawBuffer CKMService::processStorage(Credentials &cred, MessageBuffer &buffer)
// So, to unlock user data when lock type is None, key-manager always try to unlock user data with null password.
// Even if the result is fail, it will be ignored.
Password nullPassword("");
- m_logic->unlockUserKey(cred.uid, nullPassword, false);
+ m_logic->unlockUserKey(cred.clientID, nullPassword, false);
LogDebug("Process storage. Command: " << command);
diff --git a/src/manager/service/crypto-logic.cpp b/src/manager/service/crypto-logic.cpp
index d6eb241..5f0e778 100644
--- a/src/manager/service/crypto-logic.cpp
+++ b/src/manager/service/crypto-logic.cpp
@@ -75,6 +75,11 @@ void CryptoLogic::pushKey(const Label &smackLabel,
m_keyMap[smackLabel] = applicationKey;
}
+void CryptoLogic::removeKey(const Label &smackLabel)
+{
+ m_keyMap.erase(smackLabel);
+}
+
RawBuffer CryptoLogic::encryptDataAesCbc(
const RawBuffer &data,
const RawBuffer &key,
diff --git a/src/manager/service/crypto-logic.h b/src/manager/service/crypto-logic.h
index ceda146..43e4b9c 100644
--- a/src/manager/service/crypto-logic.h
+++ b/src/manager/service/crypto-logic.h
@@ -54,6 +54,7 @@ public:
bool haveKey(const Label &smackLabel);
void pushKey(const Label &smackLabel,
const RawBuffer &applicationKey);
+ void removeKey(const Label &smackLabel);
private:
static const int ENCR_BASE64 = 1 << 0;
diff --git a/src/manager/service/db-crypto.cpp b/src/manager/service/db-crypto.cpp
index 04f4022..1fcf77a 100644
--- a/src/manager/service/db-crypto.cpp
+++ b/src/manager/service/db-crypto.cpp
@@ -63,7 +63,7 @@ namespace {
" VALUES(?101, ?103);";
const char *DB_CMD_SCHEMA_GET =
- "SELECT * FROM SCHEMA_INFO WHERE name=?101;";
+ "SELECT * FROM SCHEMA_INFO WHERE name IS ?101;";
const char *DB_SCHEMA_VERSION_FIELD = "schema_version";
@@ -74,13 +74,13 @@ namespace {
" VALUES(?101, ?102);";
const char *DB_CMD_NAME_COUNT_ROWS =
- "SELECT COUNT(idx) FROM NAMES WHERE name=?101 AND label=?102;";
+ "SELECT COUNT(idx) FROM NAMES WHERE name IS ?101 AND label IS ?102;";
const char *DB_CMD_NAME_DELETE =
- "DELETE FROM NAMES WHERE name=?101 AND label=?102;";
+ "DELETE FROM NAMES WHERE name IS ?101 AND label IS ?102;";
const char *DB_CMD_NAME_DELETE_BY_LABEL =
- "DELETE FROM NAMES WHERE label=?102;";
+ "DELETE FROM NAMES WHERE label IS ?102;";
const char *DB_CMD_OBJECT_INSERT =
@@ -90,35 +90,35 @@ namespace {
" iv, dataSize, data, tag, idx) "
" VALUES(?001, ?002, ?003, ?004, ?005, "
" ?006, ?007, ?008,"
- " (SELECT idx FROM NAMES WHERE name=?101 and label=?102)"
+ " (SELECT idx FROM NAMES WHERE name IS ?101 and label IS ?102)"
" );";
const char *DB_CMD_OBJECT_SELECT_BY_NAME_AND_LABEL =
"SELECT * FROM [join_name_object_tables] "
" WHERE (dataType BETWEEN ?001 AND ?002) "
- " AND name=?101 and label=?102;";
+ " AND name IS ?101 and label IS ?102;";
const char *DB_CMD_KEY_INSERT =
"INSERT INTO KEYS(label, key) VALUES (?, ?);";
const char *DB_CMD_KEY_SELECT =
- "SELECT key FROM KEYS WHERE label=?;";
+ "SELECT key FROM KEYS WHERE label IS ?;";
const char *DB_CMD_KEY_DELETE =
- "DELETE FROM KEYS WHERE label=?";
+ "DELETE FROM KEYS WHERE label IS ?;";
const char *DB_CMD_PERMISSION_SET = // SQLite does not support updating views
"REPLACE INTO PERMISSIONS(permissionLabel, permissionMask, idx) "
- " VALUES (?104, ?105, (SELECT idx FROM NAMES WHERE name=?101 and label=?102));";
+ " VALUES (?104, ?105, (SELECT idx FROM NAMES WHERE name IS ?101 and label IS ?102));";
const char *DB_CMD_PERMISSION_SELECT =
"SELECT permissionMask FROM [join_name_permission_tables] "
- " WHERE permissionLabel=?104 "
- " AND name=?101 and label=?102;";
+ " WHERE permissionLabel IS ?104 "
+ " AND name IS ?101 AND label IS ?102;";
const char *DB_CMD_PERMISSION_DELETE = // SQLite does not support updating views
- "DELETE FROM PERMISSIONS WHERE permissionLabel=?104 AND "
- " idx=(SELECT idx FROM NAMES WHERE name=?101 and label=?102);";
+ "DELETE FROM PERMISSIONS WHERE permissionLabel IS ?104 AND "
+ " idx IS (SELECT idx FROM NAMES WHERE name IS ?101 AND label IS ?102);";
/*
@@ -129,8 +129,8 @@ namespace {
*/
const char *DB_CMD_NAME_SELECT_BY_TYPE_AND_PERMISSION =
"SELECT label, name FROM [join_all_tables] "
- " WHERE dataType>=?001 AND dataType<=?002 "
- " AND permissionLabel=?104 AND permissionMask&?004!=0 GROUP BY idx;";
+ " WHERE (dataType BETWEEN ?001 AND ?002) "
+ " AND permissionLabel IS ?104 AND permissionMask&?004 IS NOT 0 GROUP BY idx;";
}
namespace CKM {
@@ -217,26 +217,37 @@ namespace DB {
bool Crypto::getDBVersion(int & schemaVersion)
{
SchemaInfo SchemaInfo(this);
- if(SchemaInfo.getVersionInfo(schemaVersion)) {
+
+ /*
+ * SCHEMA_INFO (o)
+ * SCHEMA_INFO exists from schema version 3
+ */
+ if (m_connection->CheckTableExist("SCHEMA_INFO")
+ && SchemaInfo.getVersionInfo(schemaVersion)) {
LogDebug("Current DB version: " << schemaVersion);
return true;
}
- else
- {
- LogDebug("No DB version known or DB not present");
- // special case: old CKM_TABLE exists
- if(m_connection->CheckTableExist("CKM_TABLE")) {
- schemaVersion = DB_VERSION_1;
- return true;
- }
+ /*
+ * SCHEMA_INFO (x) / CKM_TABLE (o)
+ * CKM_TABLE exists only in schema version 1
+ * -> schema version 1
+ */
+ if (m_connection->CheckTableExist("CKM_TABLE")) {
+ schemaVersion = DB_VERSION_1;
+ return true;
+ }
- // special case: new scheme exists, but no SCHEMA_INFO table present
- else if(m_connection->CheckTableExist("NAME_TABLE")) {
- schemaVersion = DB_VERSION_2;
- return true;
- }
+ /*
+ * SCHEMA_INFO (x) / CKM_TABLE (x) / NAME_TABLE (o)
+ * NAME_TABLE exists only in schema version 2
+ * -> schema version 2
+ */
+ if (m_connection->CheckTableExist("NAME_TABLE")) {
+ schemaVersion = DB_VERSION_2;
+ return true;
}
+
// not recognized - proceed with an empty DBs
return false;
}
diff --git a/src/manager/service/digest.cpp b/src/manager/service/digest.cpp
index 681c16b..0bec6fc 100644
--- a/src/manager/service/digest.cpp
+++ b/src/manager/service/digest.cpp
@@ -47,11 +47,8 @@ void Digest::reset()
m_initialized = false;
m_finalized = false;
-
m_ctx = EVP_MD_CTX_create();
- if (!m_ctx) {
- ThrowMsg(Exception::InternalError,
- "Failed to memory allocation on EVP_MD_CTX");
+ if (m_ctx == nullptr) {
}
ret = EVP_DigestInit_ex(m_ctx, m_md, NULL);
diff --git a/src/manager/service/file-lock.cpp b/src/manager/service/file-lock.cpp
index 6c77098..445e239 100644
--- a/src/manager/service/file-lock.cpp
+++ b/src/manager/service/file-lock.cpp
@@ -21,6 +21,8 @@
#include "file-lock.h"
+#include <dpl/errno_string.h>
+
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -48,30 +50,28 @@ std::runtime_error io_exception(const Args&... args)
FileLock::FileLock(const char* const file)
{
- char errbuf[512] = {0, };
-
// Open lock file
m_lockFd = TEMP_FAILURE_RETRY(creat(file, 0644));
if (m_lockFd == -1) {
- throw io_exception("Cannot open lock file. Errno: ", strerror_r(errno, errbuf, sizeof(errbuf)));
+ throw io_exception("Cannot open lock file. Errno: ", GetErrnoString(errno));
}
if (-1 == lockf(m_lockFd, F_TLOCK, 0)) {
if (errno == EACCES || errno == EAGAIN)
throw io_exception("Can't acquire lock. Another instance must be running.");
else
- throw io_exception("Can't acquire lock. Errno: ", strerror_r(errno, errbuf, sizeof(errbuf)));
+ throw io_exception("Can't acquire lock. Errno: ", GetErrnoString(errno));
}
std::string pid = std::to_string(getpid());
ssize_t written = TEMP_FAILURE_RETRY(write(m_lockFd, pid.c_str(), pid.size()));
if (-1 == written || static_cast<ssize_t>(pid.size()) > written)
- throw io_exception("Can't write file lock. Errno: ", strerror_r(errno, errbuf, sizeof(errbuf)));
+ throw io_exception("Can't write file lock. Errno: ", GetErrnoString(errno));
int ret = fsync(m_lockFd);
if (-1 == ret)
- throw io_exception("Fsync failed. Errno: ", strerror_r(errno, errbuf, sizeof(errbuf)));
+ throw io_exception("Fsync failed. Errno: ", GetErrnoString(errno));
}
FileLock::~FileLock()
diff --git a/src/manager/service/file-system.cpp b/src/manager/service/file-system.cpp
index 7a02fe1..e2b953a 100644
--- a/src/manager/service/file-system.cpp
+++ b/src/manager/service/file-system.cpp
@@ -47,44 +47,44 @@ const std::string CKM_KEY_BACKUP_PREFIX = "key-backup-";
const std::string CKM_DB_KEY_PREFIX = "db-key-";
const std::string CKM_DB_PREFIX = "db-";
const std::string CKM_REMOVED_APP_PREFIX = "removed-app-";
-const std::string CKM_LOCK_FILE = "/var/run/key-manager.pid";
+const std::string CKM_LOCK_FILE = "/run/key-manager.pid";
} // namespace anonymous
namespace CKM {
-FileSystem::FileSystem(uid_t uid)
- : m_uid(uid)
+FileSystem::FileSystem(const ClientID &clientID)
+ : m_clientID(clientID)
{}
std::string FileSystem::getDBPath() const
{
std::stringstream ss;
- ss << CKM_DATA_PATH << CKM_DB_PREFIX << m_uid;
+ ss << CKM_DATA_PATH << CKM_DB_PREFIX << m_clientID;
return ss.str();
}
std::string FileSystem::getDKEKPath() const {
std::stringstream ss;
- ss << CKM_DATA_PATH << CKM_KEY_PREFIX << m_uid;
+ ss << CKM_DATA_PATH << CKM_KEY_PREFIX << m_clientID;
return ss.str();
}
std::string FileSystem::getDKEKBackupPath() const {
std::stringstream ss;
- ss << CKM_DATA_PATH << CKM_KEY_BACKUP_PREFIX << m_uid;
+ ss << CKM_DATA_PATH << CKM_KEY_BACKUP_PREFIX << m_clientID;
return ss.str();
}
std::string FileSystem::getDBDEKPath() const {
std::stringstream ss;
- ss << CKM_DATA_PATH << CKM_DB_KEY_PREFIX << m_uid;
+ ss << CKM_DATA_PATH << CKM_DB_KEY_PREFIX << m_clientID;
return ss.str();
}
std::string FileSystem::getRemovedAppsPath() const {
std::stringstream ss;
- ss << CKM_DATA_PATH << CKM_REMOVED_APP_PREFIX << m_uid;
+ ss << CKM_DATA_PATH << CKM_REMOVED_APP_PREFIX << m_clientID;
return ss.str();
}
@@ -217,15 +217,15 @@ int FileSystem::init() {
return 0;
}
-UidVector FileSystem::getUIDsFromDBFile() {
- UidVector uids;
+ClientIDVector FileSystem::getClientIDsFromDBFile(const std::string zone) {
+ ClientIDVector clientIDVec;
std::unique_ptr<DIR, std::function<int(DIR*)>>
dirp(::opendir(CKM_DATA_PATH.c_str()), ::closedir);
if (!dirp.get()) {
int err = errno;
LogError("Error in opendir. Data directory could not be read. Error: " << GetErrnoString(err));
- return UidVector();
+ return ClientIDVector();
}
size_t len = offsetof(struct dirent, d_name) + pathconf(CKM_DATA_PATH.c_str(), _PC_NAME_MAX) + 1;
@@ -234,20 +234,31 @@ UidVector FileSystem::getUIDsFromDBFile() {
if (!pEntry.get()) {
LogError("Memory allocation failed.");
- return UidVector();
+ return ClientIDVector();
}
struct dirent* pDirEntry = NULL;
while ( (!readdir_r(dirp.get(), pEntry.get(), &pDirEntry)) && pDirEntry ) {
- // Ignore files with diffrent prefix
if (strncmp(pDirEntry->d_name, CKM_KEY_PREFIX.c_str(), CKM_KEY_PREFIX.size())) {
+ LogDebug("Not DomainKEK file.");
continue;
}
-
- // We find database. Let's extract user id.
+#ifdef DB_PER_ZONE_ENABLE
+ if (strlen(pDirEntry->d_name + CKM_KEY_PREFIX.size()) <= zone.size()) {
+ LogError("Should not happen. "
+ "Key file[" << pDirEntry->d_name << "] clientID(zone + uid) length should be longer than zone name size");
+ continue;
+ }
+ if (strncmp(pDirEntry->d_name + CKM_KEY_PREFIX.size(), zone.c_str(), zone.size())) {
+ LogDebug("Another zone's DomainKEK file.");
+ continue;
+ }
+#else
+ (void) zone;
+#endif
try {
- uids.push_back(static_cast<uid_t>(std::stoi((pDirEntry->d_name)+CKM_KEY_PREFIX.size())));
+ clientIDVec.push_back(pDirEntry->d_name + CKM_KEY_PREFIX.size());
} catch (const std::invalid_argument) {
LogError("Error in extracting uid from db file. Error=std::invalid_argument."
"This will be ignored.File=" << pDirEntry->d_name << "");
@@ -256,49 +267,38 @@ UidVector FileSystem::getUIDsFromDBFile() {
"This will be ignored. File="<< pDirEntry->d_name << "");
}
}
-
- return uids;
+ return clientIDVec;
}
int FileSystem::removeUserData() const {
- int err, retCode = 0;
- if (unlink(getDBPath().c_str())) {
- retCode = -1;
- err = errno;
- LogError("Error in unlink user database: " << getDBPath()
- << "Errno: " << errno << " " << GetErrnoString(err));
- }
+ if (removeFile(getDBPath())
+ || removeFile(getDKEKPath())
+ || removeFile(getDKEKBackupPath())
+ || removeFile(getDBDEKPath())
+ || removeFile(getRemovedAppsPath())) {
- if (unlink(getDKEKPath().c_str())) {
- retCode = -1;
- err = errno;
- LogError("Error in unlink user DKEK: " << getDKEKPath()
- << "Errno: " << errno << " " << GetErrnoString(err));
+ return -1;
}
- if (unlink(getDKEKBackupPath().c_str())) {
- retCode = -1;
- err = errno;
- LogDebug("Unlink user backup DKEK failed (file probably does not exists): " << getDKEKBackupPath()
- << "Errno: " << errno << " " << GetErrnoString(err));
- }
+ return 0;
+}
- if (unlink(getDBDEKPath().c_str())) {
- retCode = -1;
- err = errno;
- LogError("Error in unlink user DBDEK: " << getDBDEKPath()
- << "Errno: " << errno << " " << GetErrnoString(err));
- }
+int FileSystem::removeFile(const std::string &path) const
+{
+ if (access(path.c_str(), F_OK) == 0
+ && unlink(path.c_str()) != 0) {
- if (unlink(getRemovedAppsPath().c_str())) {
- retCode = -1;
- err = errno;
- LogError("Error in unlink user's Removed Apps File: " << getRemovedAppsPath()
- << "Errno: " << errno << " " << GetErrnoString(err));
+ int err = errno;
+
+ LogError("Unlink Path[" << path
+ << "] Errno[" << errno
+ << "] ErrnoString[" << GetErrnoString(err) << "]");
+
+ return -1;
}
- return retCode;
+ return 0;
}
FileLock FileSystem::lock()
diff --git a/src/manager/service/file-system.h b/src/manager/service/file-system.h
index 9058c42..2e7767f 100644
--- a/src/manager/service/file-system.h
+++ b/src/manager/service/file-system.h
@@ -21,14 +21,14 @@
*/
#pragma once
-#include <ckm/ckm-type.h>
#include <string>
+#include <ckm/ckm-type.h>
#include <file-lock.h>
namespace CKM {
typedef std::vector<std::string> AppLabelVector;
-typedef std::vector<uid_t> UidVector;
+typedef std::vector<ClientID> ClientIDVector;
class FileSystem {
public:
@@ -40,7 +40,7 @@ public:
DECLARE_EXCEPTION_TYPE(Base, RenameFailed)
};
- FileSystem(uid_t uid);
+ FileSystem(const ClientID &clientID);
std::string getDBPath() const;
@@ -65,7 +65,7 @@ public:
AppLabelVector clearRemovedsApps() const;
static int init();
- static UidVector getUIDsFromDBFile();
+ static ClientIDVector getClientIDsFromDBFile(std::string zone);
static FileLock lock();
virtual ~FileSystem(){}
@@ -77,8 +77,9 @@ protected:
void saveFile(const std::string &path, const RawBuffer &buffer) const;
std::string getRemovedAppsPath() const;
void moveFile(const std::string &from, const std::string &to) const;
+ int removeFile(const std::string &path) const;
- uid_t m_uid;
+ ClientID m_clientID;
};
} // namespace CKM
diff --git a/src/manager/service/key-provider.cpp b/src/manager/service/key-provider.cpp
index a50e5b2..6da61dd 100644
--- a/src/manager/service/key-provider.cpp
+++ b/src/manager/service/key-provider.cpp
@@ -49,6 +49,23 @@ CKM::RawBuffer toRawBuffer(T *)
return CKM::RawBuffer();
}
+int cleanMemory(void *targetPtr, size_t targetSize)
+{
+ char *ptr = reinterpret_cast<char *>(targetPtr);
+
+ // overwrite ptr
+ for (size_t size = 0; size < targetSize; ++size)
+ ptr[size] = 0;
+
+ // verification
+ for (size_t size = 0; size < targetSize; ++size) {
+ if (0 != ptr[size]) {
+ return -1; // fail
+ }
+ }
+ return 0; // success
+}
+
} // anonymous namespace
using namespace CKM;
@@ -59,6 +76,25 @@ WrappedKeyAndInfoContainer::WrappedKeyAndInfoContainer()
memset(wrappedKeyAndInfo, 0, sizeof(WrappedKeyAndInfo));
}
+WrappedKeyAndInfoContainer::WrappedKeyAndInfoContainer(const WrappedKeyAndInfoContainer &second)
+{
+ wrappedKeyAndInfo = new WrappedKeyAndInfo;
+ memcpy(wrappedKeyAndInfo, second.wrappedKeyAndInfo, sizeof(WrappedKeyAndInfo));
+}
+
+WrappedKeyAndInfoContainer &WrappedKeyAndInfoContainer::operator=(const WrappedKeyAndInfoContainer &second)
+{
+ if (this == &second)
+ return *this;
+
+ if (wrappedKeyAndInfo)
+ delete wrappedKeyAndInfo;
+
+ wrappedKeyAndInfo = new WrappedKeyAndInfo;
+ memcpy(wrappedKeyAndInfo, second.wrappedKeyAndInfo, sizeof(WrappedKeyAndInfo));
+ return *this;
+}
+
WrappedKeyAndInfoContainer::WrappedKeyAndInfoContainer(const unsigned char *data)
{
wrappedKeyAndInfo = new WrappedKeyAndInfo;
@@ -113,6 +149,31 @@ KeyAndInfoContainer::KeyAndInfoContainer()
memset(keyAndInfo, 0, sizeof(KeyAndInfo));
}
+KeyAndInfoContainer::KeyAndInfoContainer(const KeyAndInfoContainer &second)
+{
+ keyAndInfo = new KeyAndInfo;
+ memcpy(keyAndInfo, second.keyAndInfo, sizeof(KeyAndInfo));
+}
+
+KeyAndInfoContainer &KeyAndInfoContainer::operator=(const KeyAndInfoContainer &second)
+{
+ if (this == &second)
+ return *this;
+
+ if (keyAndInfo) {
+ if (cleanMemory(keyAndInfo, sizeof(KeyAndInfo))) {
+ delete keyAndInfo;
+ ThrowMsg(Exception::Base,
+ "KeyAndInfo in KeyAndInfoContainer was not destroyed!");
+ }
+ delete keyAndInfo;
+ }
+
+ keyAndInfo = new KeyAndInfo;
+ memcpy(keyAndInfo, second.keyAndInfo, sizeof(KeyAndInfo));
+ return *this;
+}
+
KeyAndInfoContainer::KeyAndInfoContainer(const unsigned char *data)
{
keyAndInfo = new KeyAndInfo;
@@ -136,18 +197,13 @@ void KeyAndInfoContainer::setKeyInfo(const KeyComponentsInfo *keyComponentsInfo)
KeyAndInfoContainer::~KeyAndInfoContainer()
{
- // overwrite key
- char *ptr = reinterpret_cast<char*>(keyAndInfo);
- for (size_t size = 0; size < sizeof(KeyAndInfo); ++size)
- ptr[size] = 0;
- // verification
- for (size_t size = 0; size < sizeof(KeyAndInfo); ++size) {
- if (0 != ptr[size]) {
- delete keyAndInfo;
- ThrowMsg(Exception::Base, "KeyAndInfo in KeyAndInfoContainer "
- "was not destroyed!");
- }
+ if (cleanMemory(keyAndInfo, sizeof(KeyAndInfo))) {
+ // destroy verification failed.
+ delete keyAndInfo;
+ ThrowMsg(Exception::Base,
+ "KeyAndInfo in KeyAndInfoContainer was not destroyed!");
}
+
delete keyAndInfo;
}
@@ -165,19 +221,20 @@ KeyProvider::KeyProvider(
, m_isInitialized(true)
{
if (domainKEKInWrapForm.size() != sizeof(WrappedKeyAndInfo)) {
- LogError("input size:" << domainKEKInWrapForm.size()
- << " Expected: " << sizeof(WrappedKeyAndInfo));
- ThrowMsg(Exception::InputParamError, "buffer doesn't have proper size to store WrappedKeyAndInfo in KeyProvider Constructor");
+ ThrowMsg(Exception::InputParamError,
+ "domainKEKInWrapForm "
+ "input size:" << domainKEKInWrapForm.size() <<
+ " Expected:" << sizeof(WrappedKeyAndInfo));
}
- WrappedKeyAndInfoContainer wkmcDKEK = WrappedKeyAndInfoContainer(domainKEKInWrapForm.data());
+ WrappedKeyAndInfoContainer wkmcDKEK(domainKEKInWrapForm.data());
char *concat_user_pass = NULL;
uint8_t PKEK1[MAX_KEY_SIZE];
concat_user_pass = concat_password_user(
wkmcDKEK.getWrappedKeyAndInfo().keyInfo.label,
- password.c_str());
+ getConvertedStr(password));
if (!PKCS5_PBKDF2_HMAC_SHA1(
concat_user_pass,
@@ -204,7 +261,8 @@ KeyProvider::KeyProvider(
wkmcDKEK.getWrappedKeyAndInfo().keyInfo.iv,
m_kmcDKEK->getKeyAndInfo().key))) {
- ThrowMsg(Exception::PassWordError, "VerifyDomainKEK failed in KeyProvider Constructor");
+ ThrowMsg(Exception::PassWordError,
+ "VerifyDomainKEK failed in KeyProvider Constructor");
}
m_kmcDKEK->setKeyInfo(&(wkmcDKEK.getWrappedKeyAndInfo().keyInfo));
@@ -243,7 +301,9 @@ RawBuffer KeyProvider::getPureDomainKEK()
ThrowMsg(Exception::InitFailed, "Object not initialized!");
}
- return RawBuffer(m_kmcDKEK->getKeyAndInfo().key, (m_kmcDKEK->getKeyAndInfo().key) + m_kmcDKEK->getKeyAndInfo().keyInfo.keyLength);
+ return RawBuffer(m_kmcDKEK->getKeyAndInfo().key,
+ (m_kmcDKEK->getKeyAndInfo().key)
+ + m_kmcDKEK->getKeyAndInfo().keyInfo.keyLength);
}
RawBuffer KeyProvider::getWrappedDomainKEK(const Password &password)
@@ -252,14 +312,14 @@ RawBuffer KeyProvider::getWrappedDomainKEK(const Password &password)
ThrowMsg(Exception::InitFailed, "Object not initialized!");
}
- WrappedKeyAndInfoContainer wkmcDKEK = WrappedKeyAndInfoContainer();
+ WrappedKeyAndInfoContainer wkmcDKEK;
char *concat_user_pass = NULL;
uint8_t PKEK1[MAX_KEY_SIZE];
concat_user_pass = concat_password_user(
m_kmcDKEK->getKeyAndInfo().keyInfo.label,
- password.c_str());
+ getConvertedStr(password));
if (!PKCS5_PBKDF2_HMAC_SHA1(
concat_user_pass,
@@ -305,15 +365,14 @@ RawBuffer KeyProvider::getPureDEK(const RawBuffer &DEKInWrapForm)
}
if (DEKInWrapForm.size() != sizeof(WrappedKeyAndInfo)){
- LogError("input size:" << DEKInWrapForm.size()
- << " Expected: " << sizeof(WrappedKeyAndInfo));
ThrowMsg(Exception::InputParamError,
- "buffer doesn't have proper size to store "
- "WrappedKeyAndInfo in KeyProvider::getPureDEK");
+ "DEKInWrapForm "
+ "input size:" << DEKInWrapForm.size() <<
+ " Expected:" << sizeof(WrappedKeyAndInfo));
}
- KeyAndInfoContainer kmcDEK = KeyAndInfoContainer();
- WrappedKeyAndInfoContainer wkmcDEK = WrappedKeyAndInfoContainer(DEKInWrapForm.data());
+ KeyAndInfoContainer kmcDEK;
+ WrappedKeyAndInfoContainer wkmcDEK(DEKInWrapForm.data());
uint8_t PKEK2[MAX_KEY_SIZE];
int keyLength;
@@ -347,7 +406,8 @@ RawBuffer KeyProvider::getPureDEK(const RawBuffer &DEKInWrapForm)
LogDebug("getPureDEK SUCCESS");
return RawBuffer(
kmcDEK.getKeyAndInfo().key,
- (kmcDEK.getKeyAndInfo().key) + kmcDEK.getKeyAndInfo().keyInfo.keyLength);
+ (kmcDEK.getKeyAndInfo().key)
+ + kmcDEK.getKeyAndInfo().keyInfo.keyLength);
}
RawBuffer KeyProvider::generateDEK(const std::string &smackLabel)
@@ -357,7 +417,7 @@ RawBuffer KeyProvider::generateDEK(const std::string &smackLabel)
"Object not initialized!");
}
- WrappedKeyAndInfoContainer wkmcDEK = WrappedKeyAndInfoContainer();
+ WrappedKeyAndInfoContainer wkmcDEK;
std::string resized_smackLabel;
if (smackLabel.length() < APP_LABEL_SIZE)
@@ -413,16 +473,15 @@ RawBuffer KeyProvider::reencrypt(
const Password &newPass)
{
if (domainKEKInWrapForm.size() != sizeof(WrappedKeyAndInfo)) {
- LogError("input size:" << domainKEKInWrapForm.size()
- << " Expected: " << sizeof(WrappedKeyAndInfo));
ThrowMsg(Exception::InputParamError,
- "buffer doesn't have proper size to store "
- "WrappedKeyAndInfo in KeyProvider::reencrypt");
+ "domainKEKInWrapForm "
+ "input size:" << domainKEKInWrapForm.size() <<
+ " Expected:" << sizeof(WrappedKeyAndInfo));
}
- WrappedKeyAndInfoContainer wkmcOldDKEK = WrappedKeyAndInfoContainer(domainKEKInWrapForm.data());
- WrappedKeyAndInfoContainer wkmcNewDKEK = WrappedKeyAndInfoContainer();
- KeyAndInfoContainer kmcDKEK = KeyAndInfoContainer();
+ WrappedKeyAndInfoContainer wkmcOldDKEK(domainKEKInWrapForm.data());
+ WrappedKeyAndInfoContainer wkmcNewDKEK;
+ KeyAndInfoContainer kmcDKEK;
char *concat_user_pass = NULL;
uint8_t PKEK1[MAX_KEY_SIZE];
@@ -431,7 +490,7 @@ RawBuffer KeyProvider::reencrypt(
concat_user_pass = concat_password_user(
wkmcOldDKEK.getWrappedKeyAndInfo().keyInfo.label,
- oldPass.c_str());
+ getConvertedStr(oldPass));
if (!PKCS5_PBKDF2_HMAC_SHA1(
concat_user_pass,
@@ -464,7 +523,7 @@ RawBuffer KeyProvider::reencrypt(
concat_user_pass = concat_password_user(
kmcDKEK.getKeyAndInfo().keyInfo.label,
- newPass.c_str());
+ getConvertedStr(newPass));
if (!PKCS5_PBKDF2_HMAC_SHA1(
concat_user_pass,
@@ -507,7 +566,7 @@ RawBuffer KeyProvider::generateDomainKEK(
const std::string &user,
const Password &userPassword)
{
- WrappedKeyAndInfoContainer wkmcDKEK = WrappedKeyAndInfoContainer();
+ WrappedKeyAndInfoContainer wkmcDKEK;
uint8_t key[MAX_KEY_SIZE], PKEK1[MAX_KEY_SIZE];
if (!RAND_bytes(wkmcDKEK.getWrappedKeyAndInfo().keyInfo.salt, MAX_SALT_SIZE) ||
@@ -517,7 +576,7 @@ RawBuffer KeyProvider::generateDomainKEK(
int wrappedKeyLength;
char *concat_user_pass = NULL;
- concat_user_pass = concat_password_user(user.c_str(), userPassword.c_str());
+ concat_user_pass = concat_password_user(user.c_str(), getConvertedStr(userPassword));
if (!PKCS5_PBKDF2_HMAC_SHA1(
concat_user_pass,
strlen(concat_user_pass),
@@ -569,7 +628,12 @@ KeyProvider::~KeyProvider()
LogDebug("KeyProvider Destructor");
}
-int KeyProvider::encryptAes256Gcm(const unsigned char *plaintext, int plaintext_len, const unsigned char *key, const unsigned char *iv, unsigned char *ciphertext, unsigned char *tag)
+int KeyProvider::encryptAes256Gcm(const unsigned char *plaintext,
+ int plaintext_len,
+ const unsigned char *key,
+ const unsigned char *iv,
+ unsigned char *ciphertext,
+ unsigned char *tag)
{
EVP_CIPHER_CTX *ctx;
@@ -611,7 +675,12 @@ int KeyProvider::encryptAes256Gcm(const unsigned char *plaintext, int plaintext_
return ciphertext_len;
}
-int KeyProvider::decryptAes256Gcm(const unsigned char *ciphertext, int ciphertext_len, unsigned char *tag, const unsigned char *key, const unsigned char *iv, unsigned char *plaintext)
+int KeyProvider::decryptAes256Gcm(const unsigned char *ciphertext,
+ int ciphertext_len,
+ unsigned char *tag,
+ const unsigned char *key,
+ const unsigned char *iv,
+ unsigned char *plaintext)
{
EVP_CIPHER_CTX *ctx;
@@ -679,9 +748,14 @@ char * KeyProvider::concat_password_user(const char *user, const char *password)
memset(concat_user_pass, '\0', concat_user_pass_len);
memcpy(concat_user_pass, password, strlen(password));
- memcpy(&(concat_user_pass[strlen(password)]), user, strlen(user));
+ memcpy(&(concat_user_pass[strlen(password)]), resized_user, strlen(resized_user));
concat_user_pass[strlen(resized_user) + strlen(password)] = '\0';
delete[] resized_user;
return concat_user_pass;
}
+
+const char* KeyProvider::getConvertedStr(const Password &password)
+{
+ return password.c_str();
+}
diff --git a/src/manager/service/key-provider.h b/src/manager/service/key-provider.h
index 612dcd3..8e08c8a 100644
--- a/src/manager/service/key-provider.h
+++ b/src/manager/service/key-provider.h
@@ -85,6 +85,10 @@ typedef struct WrappedKeyAndInfo_ {
class WrappedKeyAndInfoContainer{
public:
WrappedKeyAndInfoContainer();
+
+ WrappedKeyAndInfoContainer(const WrappedKeyAndInfoContainer &);
+ WrappedKeyAndInfoContainer &operator=(const WrappedKeyAndInfoContainer &);
+
WrappedKeyAndInfoContainer(const unsigned char*);
WrappedKeyAndInfo& getWrappedKeyAndInfo();
void setKeyInfoKeyLength(const unsigned int);
@@ -103,6 +107,10 @@ public:
DECLARE_EXCEPTION_TYPE(CKM::Exception, Base)
};
KeyAndInfoContainer();
+
+ KeyAndInfoContainer(const KeyAndInfoContainer &);
+ KeyAndInfoContainer &operator=(const KeyAndInfoContainer &);
+
KeyAndInfoContainer(const unsigned char*);
KeyAndInfo& getKeyAndInfo();
void setKeyInfoKeyLength(const unsigned int);
@@ -172,6 +180,7 @@ public:
static int closeLibrary();
virtual ~KeyProvider();
+
private:
// KeyAndInfoContainer class
std::shared_ptr<KeyAndInfoContainer> m_kmcDKEK;
@@ -197,6 +206,7 @@ private:
const char *user,
const char *password);
+ static const char* getConvertedStr(const Password &password);
};
} // namespace CKM
diff --git a/src/manager/service/ocsp-logic.cpp b/src/manager/service/ocsp-logic.cpp
index bd62d2c..61433fd 100644
--- a/src/manager/service/ocsp-logic.cpp
+++ b/src/manager/service/ocsp-logic.cpp
@@ -29,25 +29,81 @@
#include <ocsp-logic.h>
#include <ocsp.h>
+#include <system_info.h>
+
+#define FEATURE_WIFI "tizen.org/feature/network.internet"
+#define FEATURE_TELEPHONY "tizen.org/feature/network.telephony"
+#define FEATURE_TETHERING_BT "tizen.org/feature/network.tethering.bluetooth"
+#define FEATURE_ETHERNET "tizen.org/feature/network.ethernet"
+
namespace CKM {
+namespace {
+
+bool isFeatureOn(const char *feature)
+{
+ bool value = false;
+
+ if (SYSTEM_INFO_ERROR_NONE != system_info_get_platform_bool(feature, &value)) {
+ // system info capi error.
+ return false;
+ }
+
+ return value;
+}
+
+} // namespace anonymous
+
+
+OCSPLogic::OCSPLogic()
+ : m_isNetAvailable(false)
+{
+ setNetAvailable();
+}
+
+void OCSPLogic::setNetAvailable()
+{
+ if (isFeatureOn(FEATURE_WIFI)
+ || isFeatureOn(FEATURE_TELEPHONY)
+ || isFeatureOn(FEATURE_TETHERING_BT)
+ || isFeatureOn(FEATURE_ETHERNET)) {
+ m_isNetAvailable = true;
+ }
+ else {
+ m_isNetAvailable = false;
+ }
+}
+
RawBuffer OCSPLogic::ocspCheck(int commandId, const RawBufferVector &rawChain) {
CertificateImplVector certChain;
OCSPModule ocsp;
int retCode = CKM_API_SUCCESS;
int ocspStatus = CKM_API_OCSP_STATUS_INTERNAL_ERROR;
- for (auto &e: rawChain) {
- certChain.push_back(CertificateImpl(e, DataFormat::FORM_DER));
- if (certChain.rbegin()->empty()) {
- LogDebug("Error in parsing certificates!");
- retCode = CKM_API_ERROR_INPUT_PARAM;
- break;
- }
+
+ if (!m_isNetAvailable) {
+ // try again for in case of system-info error
+ setNetAvailable();
+ }
+
+ if (!m_isNetAvailable) {
+ retCode = CKM_API_ERROR_NOT_SUPPORTED;
}
+ else {
+ for (auto &e: rawChain) {
+ certChain.push_back(CertificateImpl(e, DataFormat::FORM_DER));
+ if (certChain.rbegin()->empty()) {
+ LogDebug("Error in parsing certificates!");
+ retCode = CKM_API_ERROR_INPUT_PARAM;
+ break;
+ }
+ }
- if (retCode == CKM_API_SUCCESS)
- ocspStatus = ocsp.verify(certChain);
+ if (certChain.size() < 2)
+ retCode = CKM_API_ERROR_INPUT_PARAM;
+ else if (retCode == CKM_API_SUCCESS)
+ ocspStatus = ocsp.verify(certChain);
+ }
return MessageBuffer::Serialize(commandId, retCode, ocspStatus).Pop();
}
diff --git a/src/manager/service/ocsp-logic.h b/src/manager/service/ocsp-logic.h
index f0dcab4..725e757 100644
--- a/src/manager/service/ocsp-logic.h
+++ b/src/manager/service/ocsp-logic.h
@@ -27,7 +27,7 @@ namespace CKM {
class OCSPLogic {
public:
- OCSPLogic(){}
+ OCSPLogic();
OCSPLogic(const OCSPLogic &) = delete;
OCSPLogic(OCSPLogic &&) = delete;
OCSPLogic& operator=(const OCSPLogic &) = delete;
@@ -35,6 +35,10 @@ public:
RawBuffer ocspCheck(int commandId, const RawBufferVector &rawChain);
virtual ~OCSPLogic(){}
+private:
+ void setNetAvailable();
+
+ bool m_isNetAvailable;
};
diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp
index 4f4477e..22b8b25 100644
--- a/src/manager/service/ocsp.cpp
+++ b/src/manager/service/ocsp.cpp
@@ -71,14 +71,13 @@ int OCSPModule::verify(const CertificateImplVector &certificateChain) {
// create trusted store
X509_STACK_PTR trustedCerts = create_x509_stack();
- // skip first 2 certificates
- for (auto it=certificateChain.cbegin()+2; it != certificateChain.cend(); it++)
- {
- if (it->empty()) {
+ for (unsigned int i=1; i < certificateChain.size(); i++) { // except leaf certificate
+ if (certificateChain[i].empty()) {
LogError("Error. Broken certificate chain.");
return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
}
- sk_X509_push(trustedCerts.get(), it->getX509());
+ sk_X509_push(trustedCerts.get(), certificateChain[i].getX509());
+ // these trusted certs will be changed while verifying ocsp status.
}
for (unsigned int i=0; i < certificateChain.size() -1; i++) {// except root certificate
@@ -183,7 +182,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, STACK_OF(X509) *trustedCer
}
if (BIO_do_connect(cbio) <= 0) {
- LogDebug("Error in BIO_do_connect.");
+ LogError("Error in BIO_do_connect.");
ERR_print_errors(bioLogger.get());
/* report error */
@@ -217,17 +216,17 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, STACK_OF(X509) *trustedCer
req = OCSP_REQUEST_new();
if(req == NULL) {
- LogDebug("Error in OCPS_REQUEST_new");
+ LogError("Error in OCPS_REQUEST_new");
return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
}
certid = OCSP_cert_to_id(NULL, cert, issuer);
if(certid == NULL) {
- LogDebug("Error in OCSP_cert_to_id");
+ LogError("Error in OCSP_cert_to_id");
return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
}
if(OCSP_request_add0_id(req, certid) == NULL) {
- LogDebug("Error in OCSP_request_add0_id");
+ LogError("Error in OCSP_request_add0_id");
return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
}
@@ -284,7 +283,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, STACK_OF(X509) *trustedCer
OCSP_REQUEST_free(req);
OCSP_RESPONSE_free(resp);
- LogDebug("Error in OCSP_response_get1_basic");
+ LogError("Error in OCSP_response_get1_basic");
return CKM_API_OCSP_STATUS_INVALID_RESPONSE;
}
@@ -317,7 +316,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, STACK_OF(X509) *trustedCer
OCSP_RESPONSE_free(resp);
OCSP_BASICRESP_free(bs);
X509_STORE_free(trustedStore);
- LogDebug("Error in OCSP_check_nonce");
+ LogError("Error in OCSP_check_nonce");
return CKM_API_OCSP_STATUS_INVALID_RESPONSE;
}
}
@@ -333,7 +332,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, STACK_OF(X509) *trustedCer
OCSP_BASICRESP_free(bs);
X509_STORE_free(trustedStore);
- LogDebug("Error in OCSP_resp_find_status");
+ LogError("Error in OCSP_resp_find_status");
return CKM_API_OCSP_STATUS_INVALID_RESPONSE;
}
@@ -350,7 +349,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, STACK_OF(X509) *trustedCer
OCSP_BASICRESP_free(bs);
X509_STORE_free(trustedStore);
- LogDebug("Error in OCSP_check_validity");
+ LogError("Error in OCSP_check_validity");
return CKM_API_OCSP_STATUS_INVALID_RESPONSE;
}
diff --git a/src/manager/sqlcipher/sqlcipher.c b/src/manager/sqlcipher/sqlcipher.c
index f40a67e..92e26bc 100644
--- a/src/manager/sqlcipher/sqlcipher.c
+++ b/src/manager/sqlcipher/sqlcipher.c
@@ -13384,7 +13384,7 @@ int sqlcipher_codec_ctx_set_pass(codec_ctx *ctx, const void *zKey, int nKey, int
c_ctx->derive_key = 1;
if(for_ctx == 2)
- if((rc = sqlcipher_cipher_ctx_copy(ctx->read_ctx, c_ctx)) != SQLCIPHER_OK)
+ if((rc = sqlcipher_cipher_ctx_copy(ctx->read_ctx, c_ctx)) != SQLCIPHER_OK)
return rc;
return SQLCIPHER_OK;
@@ -13595,7 +13595,7 @@ int sqlcipher_page_hmac(cipher_ctx *ctx, Pgno pgno, unsigned char *in, int in_sz
int sqlcipher_page_cipher(codec_ctx *ctx, int for_ctx, Pgno pgno, int mode, int page_sz, unsigned char *in, unsigned char *out) {
cipher_ctx *c_ctx = for_ctx ? ctx->write_ctx : ctx->read_ctx;
unsigned char *iv_in, *iv_out, *hmac_in, *hmac_out, *out_start;
- int tmp_csz, csz, size;
+ int tmp_csz, csz, size, rc;
/* calculate some required positions into various buffers */
size = page_sz - c_ctx->reserve_sz; /* adjust size to useable size and memset reserve at end of page */
@@ -13642,13 +13642,15 @@ int sqlcipher_page_cipher(codec_ctx *ctx, int for_ctx, Pgno pgno, int mode, int
}
}
- EVP_CipherInit(&c_ctx->ectx, c_ctx->evp_cipher, NULL, NULL, mode);
+ rc = EVP_CipherInit(&c_ctx->ectx, c_ctx->evp_cipher, NULL, NULL, mode);
EVP_CIPHER_CTX_set_padding(&c_ctx->ectx, 0);
- EVP_CipherInit(&c_ctx->ectx, NULL, c_ctx->key, iv_out, mode);
- EVP_CipherUpdate(&c_ctx->ectx, out, &tmp_csz, in, size);
+ rc = EVP_CipherInit(&c_ctx->ectx, NULL, c_ctx->key, iv_out, mode);
+ rc = EVP_CipherUpdate(&c_ctx->ectx, out, &tmp_csz, in, size);
csz = tmp_csz;
out += tmp_csz;
- EVP_CipherFinal(&c_ctx->ectx, out, &tmp_csz);
+ rc = EVP_CipherFinal(&c_ctx->ectx, out, &tmp_csz);
+ // patch to fix unchecked return value warning from prevent
+ (void) rc;
csz += tmp_csz;
EVP_CIPHER_CTX_cleanup(&c_ctx->ectx);
assert(size == csz);
@@ -20302,7 +20304,10 @@ SQLCIPHER_API sqlcipher3_int64 sqlcipher3_soft_heap_limit64(sqlcipher3_int64 n){
sqlcipher3_int64 priorLimit;
sqlcipher3_int64 excess;
#ifndef SQLCIPHER_OMIT_AUTOINIT
- sqlcipher3_initialize();
+ // patch to fix unchecked return value warning from prevent
+ // sqlcipher3_initialize();
+ int rc = sqlcipher3_initialize();
+ (void) rc;
#endif
sqlcipher3_mutex_enter(mem0.mutex);
priorLimit = mem0.alarmThreshold;
@@ -28548,7 +28553,10 @@ static int dotlockLock(sqlcipher3_file *id, int eFileLock) {
#ifdef HAVE_UTIME
utime(zLockFile, NULL);
#else
- utimes(zLockFile, NULL);
+ // patch to fix unchecked return value warning from prevent
+ // 0 on success, -1 on error. But it doesn't affect on any feature on program.
+ int rcTimeUpdate = utimes(zLockFile, NULL);
+ (void) rcTimeUpdate;
#endif
return SQLCIPHER_OK;
}
@@ -28627,13 +28635,16 @@ static int dotlockUnlock(sqlcipher3_file *id, int eFileLock) {
** Close a file. Make sure the lock has been released before closing.
*/
static int dotlockClose(sqlcipher3_file *id) {
- int rc;
+ int rc = SQLCIPHER_INTERNAL;
if( id ){
unixFile *pFile = (unixFile*)id;
dotlockUnlock(id, NO_LOCK);
sqlcipher3_free(pFile->lockingContext);
+
+ // patch to fix dereference pointer without null checking
+ rc = closeUnixFile(id);
}
- rc = closeUnixFile(id);
+ // rc = closeUnixFile(id);
return rc;
}
/****************** End of the dot-file lock implementation *******************
@@ -30595,9 +30606,8 @@ static int unixShmMap(
void *pMem;
if( pShmNode->h>=0 ){
pMem = mmap(0, szRegion,
- pShmNode->isReadonly ? PROT_READ : PROT_READ|PROT_WRITE,
- MAP_SHARED, pShmNode->h, ((off_t)(pShmNode->nRegion))*szRegion
- );
+ pShmNode->isReadonly ? PROT_READ : PROT_READ|PROT_WRITE,
+ MAP_SHARED, pShmNode->h, ((off_t)(pShmNode->nRegion))*szRegion);
if( pMem==MAP_FAILED ){
rc = unixLogError(SQLCIPHER_IOERR_SHMMAP, "mmap", pShmNode->zFilename);
goto shmpage_out;
@@ -31894,7 +31904,12 @@ static void unixDlError(sqlcipher3_vfs *NotUsed, int nBuf, char *zBufOut){
const char *zErr;
UNUSED_PARAMETER(NotUsed);
unixEnterMutex();
- zErr = dlerror();
+ /*
+ * Tizen patch. disable dlerror because of prevent defect.
+ * zErr = dlerror();
+ * fix error code for dlerror case.
+ */
+ zErr = "[Tizen] dlfcn function error occured";
if( zErr ){
sqlcipher3_snprintf(nBuf, zBufOut, "%s", zErr);
}
@@ -42588,7 +42603,7 @@ static int pagerPlaybackSavepoint(Pager *pPager, PagerSavepoint *pSavepoint){
*/
if( pSavepoint ){
u32 ii; /* Loop counter */
- i64 offset = ((i64)(pSavepoint->iSubRec))*(4+pPager->pageSize);
+ i64 offset = pSavepoint->iSubRec*((i64)(4+pPager->pageSize));
if( pagerUseWal(pPager) ){
rc = sqlcipher3WalSavepointUndo(pPager->pWal, pSavepoint->aWalData);
@@ -43435,7 +43450,7 @@ static int subjournalPage(PgHdr *pPg){
** write the journal record into the file. */
if( rc==SQLCIPHER_OK ){
void *pData = pPg->pData;
- i64 offset = ((i64)(pPager->nSubRec))*(4+pPager->pageSize);
+ i64 offset = pPager->nSubRec*((i64)(4+pPager->pageSize));
char *pData2;
CODEC2(pPager, pData, pPg->pgno, 7, return SQLCIPHER_NOMEM, pData2);
@@ -62333,7 +62348,7 @@ SQLCIPHER_PRIVATE u32 sqlcipher3VdbeSerialGet(
return 3;
}
case 4: { /* 4-byte signed integer */
- pMem->u.i = (((signed char)buf[0])<<24) | (buf[1]<<16) | (buf[2]<<8) | buf[3];
+ pMem->u.i = (i64)(buf[0]<<24) | (buf[1]<<16) | (buf[2]<<8) | buf[3];
pMem->flags = MEM_Int;
return 4;
}
@@ -63387,7 +63402,10 @@ SQLCIPHER_API void *sqlcipher3_aggregate_context(sqlcipher3_context *p, int nByt
pMem->flags = MEM_Null;
pMem->z = 0;
}else{
- sqlcipher3VdbeMemGrow(pMem, nByte, 0);
+ // patch to fix unchecked return value warning from prevent
+ int rc = sqlcipher3VdbeMemGrow(pMem, nByte, 0);
+ (void) rc;
+
pMem->flags = MEM_Agg;
pMem->u.pDef = p->pFunc;
if( pMem->z ){
@@ -73596,6 +73614,7 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
const char *zId; /* The function name. */
FuncDef *pDef; /* Information about the function */
u8 enc = ENC(pParse->db); /* The database encoding */
+ int rc; // patch to fix unchecked return value warning from prevent
testcase( pExpr->op==TK_CONST_FUNC );
assert( !ExprHasProperty(pExpr, EP_xIsSelect) );
@@ -73643,7 +73662,9 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){
pNC->hasAgg = 1;
}
if( is_agg ) pNC->allowAgg = 0;
- sqlcipher3WalkExprList(pWalker, pList);
+ // patch to fix unchecked return value warning from prevent
+ rc = sqlcipher3WalkExprList(pWalker, pList);
+ (void) rc;
if( is_agg ) pNC->allowAgg = 1;
/* FIX ME: Compute pExpr->affinity based on the expected return
** type of the function
@@ -82497,6 +82518,7 @@ SQLCIPHER_PRIVATE void sqlcipher3CreateView(
DbFixer sFix;
Token *pName = 0;
int iDb;
+ int rc; // patch to fix unchecked return value warning from prevent
sqlcipher3 *db = pParse->db;
if( pParse->nVar>0 ){
@@ -82510,7 +82532,10 @@ SQLCIPHER_PRIVATE void sqlcipher3CreateView(
sqlcipher3SelectDelete(db, pSelect);
return;
}
- sqlcipher3TwoPartName(pParse, pName1, pName2, &pName);
+ rc = sqlcipher3TwoPartName(pParse, pName1, pName2, &pName);
+ // patch to fix unchecked return value warning from prevent
+ (void) rc;
+
iDb = sqlcipher3SchemaToIndex(db, p->pSchema);
if( sqlcipher3FixInit(&sFix, pParse, iDb, "view", pName)
&& sqlcipher3FixSelect(&sFix, pSelect)
@@ -87848,6 +87873,7 @@ static void fkScanChildren(
NameContext sNameContext; /* Context used to resolve WHERE clause */
WhereInfo *pWInfo; /* Context used by sqlcipher3WhereXXX() */
int iFkIfZero = 0; /* Address of OP_FkIfZero */
+ int rc; // patch to fix unchecked return value warning from prevent
Vdbe *v = sqlcipher3GetVdbe(pParse);
assert( !pIdx || pIdx->pTable==pTab );
@@ -87920,7 +87946,9 @@ static void fkScanChildren(
memset(&sNameContext, 0, sizeof(NameContext));
sNameContext.pSrcList = pSrc;
sNameContext.pParse = pParse;
- sqlcipher3ResolveExprNames(&sNameContext, pWhere);
+ rc = sqlcipher3ResolveExprNames(&sNameContext, pWhere);
+ // patch to fix unchecked return value warning from prevent
+ (void) rc;
/* Create VDBE to loop through the entries in pSrc that match the WHERE
** clause. If the constraint is not deferred, throw an exception for
@@ -93219,12 +93247,12 @@ SQLCIPHER_PRIVATE void sqlcipher3Pragma(
#if defined(SQLCIPHER_HAS_CODEC) || defined(SQLCIPHER_ENABLE_CEROD)
if( sqlcipher3StrICmp(zLeft, "activate_extensions")==0 ){
#ifdef SQLCIPHER_HAS_CODEC
- if( sqlcipher3StrNICmp(zRight, "see-", 4)==0 ){
+ if( zRight && sqlcipher3StrNICmp(zRight, "see-", 4)==0 ){
sqlcipher3_activate_see(&zRight[4]);
}
#endif
#ifdef SQLCIPHER_ENABLE_CEROD
- if( sqlcipher3StrNICmp(zRight, "cerod-", 6)==0 ){
+ if( zRight && sqlcipher3StrNICmp(zRight, "cerod-", 6)==0 ){
sqlcipher3_activate_cerod(&zRight[6]);
}
#endif
@@ -93330,15 +93358,17 @@ SQLCIPHER_PRIVATE int sqlcipher3InitCallback(void *pInit, int argc, char **argv,
*/
int rc;
sqlcipher3_stmt *pStmt;
- TESTONLY(int rcp); /* Return code from sqlcipher3_prepare() */
+ int rcp; /* Return code from sqlcipher3_prepare() */
assert( db->init.busy );
db->init.iDb = iDb;
db->init.newTnum = sqlcipher3Atoi(argv[1]);
db->init.orphanTrigger = 0;
- TESTONLY(rcp = ) sqlcipher3_prepare(db, argv[2], -1, &pStmt, 0);
+ rcp = sqlcipher3_prepare(db, argv[2], -1, &pStmt, 0);
rc = db->errCode;
assert( (rc&0xFF)==(rcp&0xFF) );
+ (void) rcp;
+
db->init.iDb = 0;
if( SQLCIPHER_OK!=rc ){
if( db->init.orphanTrigger ){
@@ -96946,7 +96976,12 @@ static int flattenSubquery(
/* Authorize the subquery */
pParse->zAuthContext = pSubitem->zName;
- sqlcipher3AuthCheck(pParse, SQLCIPHER_SELECT, 0, 0, 0);
+
+ // patch for unchecked return value warning from prevent
+ // sqlcipher3AuthCheck(pParse, SQLCIPHER_SELECT, 0, 0, 0);
+ int authResult = sqlcipher3AuthCheck(pParse, SQLCIPHER_SELECT, 0, 0, 0);
+ (void) authResult;
+
pParse->zAuthContext = zSavedAuthContext;
/* If the sub-query is a compound SELECT statement, then (by restrictions
@@ -101357,8 +101392,10 @@ SQLCIPHER_PRIVATE void sqlcipher3VtabBeginParse(
** The second call, to obtain permission to create the table, is made now.
*/
if( pTable->azModuleArg ){
- sqlcipher3AuthCheck(pParse, SQLCIPHER_CREATE_VTABLE, pTable->zName,
+ int rc = sqlcipher3AuthCheck(pParse, SQLCIPHER_CREATE_VTABLE, pTable->zName,
pTable->azModuleArg[0], pParse->db->aDb[iDb].zName);
+ // patch to fix unchecked return value warning from prevent
+ (void) rc;
}
#endif
}
@@ -104288,7 +104325,12 @@ static sqlcipher3_index_info *allocateIndexInfo(
testcase( pTerm->eOperator==WO_IN );
testcase( pTerm->eOperator==WO_ISNULL );
if( pTerm->eOperator & (WO_IN|WO_ISNULL) ) continue;
+
+ // patch to fix dead code warning from prevent
+ // TERM_VNULL is always 0 if SQLCIPHER_ENABLE_STAT3 feature is not defined.
+#ifdef SQLCIPHER_ENABLE_STAT3
if( pTerm->wtFlags & TERM_VNULL ) continue;
+#endif
nTerm++;
}
@@ -104339,7 +104381,12 @@ static sqlcipher3_index_info *allocateIndexInfo(
testcase( pTerm->eOperator==WO_IN );
testcase( pTerm->eOperator==WO_ISNULL );
if( pTerm->eOperator & (WO_IN|WO_ISNULL) ) continue;
+
+ // patch to fix dead code warning from prevent
+ // TERM_VNULL is always 0 if SQLCIPHER_ENABLE_STAT3 feature is not defined.
+#ifdef SQLCIPHER_ENABLE_STAT3
if( pTerm->wtFlags & TERM_VNULL ) continue;
+#endif
pIdxCons[j].iColumn = pTerm->u.leftColumn;
pIdxCons[j].iTermOffset = i;
pIdxCons[j].op = (u8)pTerm->eOperator;
diff --git a/src/plugin/password-plugin.cpp b/src/plugin/password-plugin.cpp
index 988de24..5d42f9a 100644
--- a/src/plugin/password-plugin.cpp
+++ b/src/plugin/password-plugin.cpp
@@ -19,6 +19,7 @@
*/
#include <security-server-plugin-api.h>
+#include <ckm/ckm-client-info.h>
#include <ckm/ckm-control.h>
#include <ckm/ckm-type.h>
@@ -31,78 +32,99 @@ namespace SecurityServer {
class KEY_MANAGER_API Plugin : public PasswordPlugin {
public:
- Plugin();
- virtual int changeUserPassword(uid_t user, const std::string &oldPass, const std::string &newPass);
- virtual int login(uid_t user, const std::string &password);
- virtual int logout(uid_t user);
- virtual int resetUserPassword(uid_t user, const std::string &newPass);
- virtual int removeUserData(uid_t user);
- virtual ~Plugin(){}
+ Plugin() {}
+ virtual int changeUserPassword(const std::string &zone, uid_t user, const std::string &oldPass, const std::string &newPass);
+ virtual int login(const std::string &zone, uid_t user, const std::string &password);
+ virtual int logout(const std::string &zone, uid_t user);
+ virtual int resetUserPassword(const std::string &zone, uid_t user, const std::string &newPass);
+ virtual int removeUserData(const std::string &zone, uid_t user);
+ virtual ~Plugin() {}
private:
- CKM::ControlShPtr m_control;
+ CKM::ClientInfo getClientInfo(const std::string &zone, uid_t user);
};
-Plugin::Plugin() {
- m_control = CKM::Control::create();
+CKM::ClientInfo Plugin::getClientInfo(const std::string &zone, uid_t user)
+{
+ return CKM::ClientInfo(zone, user);
}
-int Plugin::changeUserPassword(uid_t user, const std::string &oldPass, const std::string &newPass) {
+int Plugin::changeUserPassword(
+ const std::string &zone,
+ uid_t user,
+ const std::string &oldPass,
+ const std::string &newPass)
+{
+ auto control = CKM::Control::create();
+ if (!control)
+ return SECURITY_SERVER_PLUGIN_FAIL;
+
CKM::Password oldPwd(oldPass.begin(), oldPass.end());
CKM::Password newPwd(newPass.begin(), newPass.end());
-
- if (!m_control)
- return SECURITY_SERVER_PLUGIN_FAIL;
+ CKM::ClientInfo clientInfo = getClientInfo(zone, user);
// CKM does not allow to change user password if database does
// not exists. We must create database before change password.
- if (CKM_API_SUCCESS != m_control->unlockUserKey(user, oldPwd))
+ if (CKM_API_SUCCESS != control->unlockUserKey(clientInfo, oldPwd))
return SECURITY_SERVER_PLUGIN_FAIL;
-
- if (CKM_API_SUCCESS != m_control->changeUserPassword(user, oldPwd, newPwd))
+ if (CKM_API_SUCCESS != control->changeUserPassword(clientInfo, oldPwd, newPwd))
return SECURITY_SERVER_PLUGIN_FAIL;
return SECURITY_SERVER_PLUGIN_SUCCESS;
}
-int Plugin::login(uid_t user, const std::string &password) {
- CKM::Password pwd(password.begin(), password.end());
-
- if (!m_control)
+int Plugin::login(
+ const std::string &zone,
+ uid_t user,
+ const std::string &password)
+{
+ auto control = CKM::Control::create();
+ if (!control)
return SECURITY_SERVER_PLUGIN_FAIL;
- if (CKM_API_SUCCESS != m_control->unlockUserKey(user, pwd))
+ CKM::Password pwd(password.begin(), password.end());
+
+ if (CKM_API_SUCCESS != control->unlockUserKey(getClientInfo(zone, user), pwd))
return SECURITY_SERVER_PLUGIN_FAIL;
return SECURITY_SERVER_PLUGIN_SUCCESS;
}
-int Plugin::logout(uid_t user) {
- if (!m_control)
+int Plugin::logout(const std::string &zone, uid_t user)
+{
+ auto control = CKM::Control::create();
+ if (!control)
return SECURITY_SERVER_PLUGIN_FAIL;
- if (CKM_API_SUCCESS != m_control->lockUserKey(user))
+ if (CKM_API_SUCCESS != control->lockUserKey(getClientInfo(zone, user)))
return SECURITY_SERVER_PLUGIN_FAIL;
return SECURITY_SERVER_PLUGIN_SUCCESS;
}
-int Plugin::resetUserPassword(uid_t user, const std::string &newPass) {
- CKM::Password pwd(newPass.begin(), newPass.end());
-
- if (!m_control)
+int Plugin::resetUserPassword(
+ const std::string &zone,
+ uid_t user,
+ const std::string &newPass)
+{
+ auto control = CKM::Control::create();
+ if (!control)
return SECURITY_SERVER_PLUGIN_FAIL;
- if (CKM_API_SUCCESS != m_control->resetUserPassword(user, pwd))
+ CKM::Password pwd(newPass.begin(), newPass.end());
+
+ if (CKM_API_SUCCESS != control->resetUserPassword(getClientInfo(zone, user), pwd))
return SECURITY_SERVER_PLUGIN_FAIL;
return SECURITY_SERVER_PLUGIN_SUCCESS;
}
-int Plugin::removeUserData(uid_t user) {
- if (!m_control)
+int Plugin::removeUserData(const std::string &zone, uid_t user)
+{
+ auto control = CKM::Control::create();
+ if (!control)
return SECURITY_SERVER_PLUGIN_FAIL;
- if (CKM_API_SUCCESS != m_control->removeUserData(user))
+ if (CKM_API_SUCCESS != control->removeUserData(getClientInfo(zone, user)))
return SECURITY_SERVER_PLUGIN_FAIL;
return SECURITY_SERVER_PLUGIN_SUCCESS;
@@ -119,5 +141,3 @@ KEY_MANAGER_API
void destroy(SecurityServer::PasswordPlugin *obj) {
delete obj;
}
-
-
diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
index f9005e7..070106a 100644
--- a/systemd/CMakeLists.txt
+++ b/systemd/CMakeLists.txt
@@ -3,8 +3,6 @@ CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/systemd/central-key-manager.service.in
INSTALL(FILES
${CMAKE_SOURCE_DIR}/systemd/central-key-manager.service
- ${CMAKE_SOURCE_DIR}/systemd/central-key-manager.target
- ${CMAKE_SOURCE_DIR}/systemd/central-key-manager-listener.service
${CMAKE_SOURCE_DIR}/systemd/central-key-manager-api-control.socket
${CMAKE_SOURCE_DIR}/systemd/central-key-manager-api-storage.socket
${CMAKE_SOURCE_DIR}/systemd/central-key-manager-api-ocsp.socket
diff --git a/systemd/central-key-manager-api-control.socket b/systemd/central-key-manager-api-control.socket
index 7c132a6..0f76e14 100644
--- a/systemd/central-key-manager-api-control.socket
+++ b/systemd/central-key-manager-api-control.socket
@@ -1,14 +1,15 @@
+[Unit]
+Description=key manager socket for control API
+Before=central-key-manager.service
+
[Socket]
+SocketUser=system
+SocketGroup=system
ListenStream=/tmp/.central-key-manager-api-control.sock
+Service=central-key-manager.service
SocketMode=0777
SmackLabelIPIn=key-manager::api-control
SmackLabelIPOut=@
-Service=central-key-manager.service
-
-[Unit]
-Wants=central-key-manager.target
-Before=central-key-manager.target
-
[Install]
WantedBy=sockets.target
diff --git a/systemd/central-key-manager-api-ocsp.socket b/systemd/central-key-manager-api-ocsp.socket
index b20e7e7..f5d55a1 100644
--- a/systemd/central-key-manager-api-ocsp.socket
+++ b/systemd/central-key-manager-api-ocsp.socket
@@ -1,14 +1,15 @@
+[Unit]
+Description=key manager socket for ocsp API
+Before=central-key-manager.service
+
[Socket]
+SocketUser=system
+SocketGroup=system
ListenStream=/tmp/.central-key-manager-api-ocsp.sock
+Service=central-key-manager.service
SocketMode=0777
SmackLabelIPIn=key-manager::api-ocsp
SmackLabelIPOut=@
-Service=central-key-manager.service
-
-[Unit]
-Wants=central-key-manager.target
-Before=central-key-manager.target
-
[Install]
WantedBy=sockets.target
diff --git a/systemd/central-key-manager-api-storage.socket b/systemd/central-key-manager-api-storage.socket
index 7bc5350..fc725d5 100644
--- a/systemd/central-key-manager-api-storage.socket
+++ b/systemd/central-key-manager-api-storage.socket
@@ -1,14 +1,15 @@
+[Unit]
+Description=key manager socket for storage API
+Before=central-key-manager.service
+
[Socket]
+SocketUser=system
+SocketGroup=system
ListenStream=/tmp/.central-key-manager-api-storage.sock
+Service=central-key-manager.service
SocketMode=0777
SmackLabelIPIn=key-manager::api-storage
SmackLabelIPOut=@
-Service=central-key-manager.service
-
-[Unit]
-Wants=central-key-manager.target
-Before=central-key-manager.target
-
[Install]
WantedBy=sockets.target
diff --git a/systemd/central-key-manager-listener.service b/systemd/central-key-manager-listener.service
deleted file mode 100644
index ba2b8bc..0000000
--- a/systemd/central-key-manager-listener.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=Start the Central Key Manager Listener
-Requires=dbus.service
-After=central-key-manager.service
-
-[Service]
-Type=simple
-ExecStart=/usr/bin/key-manager-listener
-
-[Install]
-WantedBy=multi-user.target
diff --git a/systemd/central-key-manager.service.in b/systemd/central-key-manager.service.in
index 469db7a..5455de7 100644
--- a/systemd/central-key-manager.service.in
+++ b/systemd/central-key-manager.service.in
@@ -1,8 +1,11 @@
[Unit]
Description=Start the Central Key Manager
-DefaultDependencies=no
+Requires=central-key-manager-api-storage.socket central-key-manager-api-control.socket central-key-manager-api-ocsp.socket
[Service]
+User=system
+Group=system
+SmackProcessLabel=key-manager
Type=notify
ExecStart=/usr/bin/key-manager
Sockets=central-key-manager-api-storage.socket
diff --git a/systemd/central-key-manager.target b/systemd/central-key-manager.target
deleted file mode 100644
index 01eaa8e..0000000
--- a/systemd/central-key-manager.target
+++ /dev/null
@@ -1,4 +0,0 @@
-[Unit]
-Description=Central Key Manager sockets
-DefaultDependencies=true
-
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index e3d39af..5d84ba1 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -17,6 +17,7 @@ INCLUDE_DIRECTORIES(
${KEY_MANAGER_PATH}/service
${KEY_MANAGER_PATH}/common/
${KEY_MANAGER_PATH}/client-async/
+ ${KEY_MANAGER_PATH}/client-capi/
${KEY_MANAGER_SRC_PATH}/include
${KEY_MANAGER_TEST_MERGED_SRC}/
)
@@ -51,3 +52,38 @@ TARGET_LINK_LIBRARIES(${TARGET_TEST_MERGED}
)
INSTALL(TARGETS ${TARGET_TEST_MERGED} DESTINATION bin)
+
+################################################################################
+PKG_CHECK_MODULES(KEY_MANAGER_TEST_LCOV_DEP
+ REQUIRED
+ openssl
+ )
+
+
+SET(KEY_MANAGER_TEST_LCOV_SRC ${PROJECT_SOURCE_DIR}/tests)
+
+SET(TEST_LCOV_SOURCES
+ ${KEY_MANAGER_TEST_LCOV_SRC}/main_lcov.cpp
+ ${KEY_MANAGER_TEST_LCOV_SRC}/test_common.cpp
+ ${KEY_MANAGER_TEST_LCOV_SRC}/colour_log_formatter.cpp
+ ${KEY_MANAGER_TEST_LCOV_SRC}/test_lcov_certificate-impl.cpp
+ ${KEY_MANAGER_TEST_LCOV_SRC}/test_lcov_ckmc-type-converter.cpp
+ ${KEY_MANAGER_TEST_LCOV_SRC}/test_lcov_client-error.cpp
+ ${KEY_MANAGER_TEST_LCOV_SRC}/test_lcov_key-impl.cpp
+ ${KEY_MANAGER_PATH}/client/client-error.cpp
+ ${KEY_MANAGER_PATH}/client-capi/ckmc-type-converter.cpp
+ ${KEY_MANAGER_PATH}/dpl/core/src/assert.cpp
+ ${KEY_MANAGER_PATH}/dpl/core/src/colors.cpp
+ )
+
+ADD_EXECUTABLE(${TARGET_TEST_LCOV} ${TEST_LCOV_SOURCES})
+
+TARGET_LINK_LIBRARIES(${TARGET_TEST_LCOV}
+ ${TARGET_KEY_MANAGER_COMMON}
+ ${CMAKE_THREAD_LIBS_INIT}
+ ${KEY_MANAGER_TEST_LCOV_DEP_LIBRARIES}
+ boost_unit_test_framework
+ -ldl
+ )
+
+INSTALL(TARGETS ${TARGET_TEST_LCOV} DESTINATION bin)
diff --git a/tests/main_lcov.cpp b/tests/main_lcov.cpp
new file mode 100644
index 0000000..9dd21f0
--- /dev/null
+++ b/tests/main_lcov.cpp
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file main.cpp
+ * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+ * @version 1.0
+ */
+
+#define BOOST_TEST_MODULE CKM_TEST_LCOV_INTERNAL
+#define BOOST_TEST_MAIN
+
+
+#include <iostream>
+#include <key-provider.h>
+#include <boost/test/unit_test.hpp>
+#include <boost/test/unit_test_log.hpp>
+#include <boost/test/results_reporter.hpp>
+#include <colour_log_formatter.h>
+#include <dpl/log/log.h>
+
+struct TestConfig {
+ TestConfig() {
+ boost::unit_test::unit_test_log.set_threshold_level( boost::unit_test::log_test_units);
+ boost::unit_test::results_reporter::set_level(boost::unit_test::SHORT_REPORT);
+ boost::unit_test::unit_test_log.set_formatter(new CKM::colour_log_formatter);
+ }
+ ~TestConfig(){
+ }
+};
+
+bool isLibInitialized = false;
+
+struct KeyProviderLib {
+ KeyProviderLib() {
+ }
+ ~KeyProviderLib() {
+ }
+};
+
+struct LogSetup {
+ LogSetup() {
+ CKM::Singleton<CKM::Log::LogSystem>::Instance().SetTag("CKM_INTERNAL_TESTS");
+ }
+ ~LogSetup() {}
+};
+
+BOOST_GLOBAL_FIXTURE(KeyProviderLib)
+BOOST_GLOBAL_FIXTURE(TestConfig)
+BOOST_GLOBAL_FIXTURE(LogSetup)
+
diff --git a/tests/test_db_crypto.cpp b/tests/test_db_crypto.cpp
index 93c70ad..785e5d8 100644
--- a/tests/test_db_crypto.cpp
+++ b/tests/test_db_crypto.cpp
@@ -39,6 +39,7 @@ int getRandom()
return randVal;
}
+
} // namespace anonymous
BOOST_FIXTURE_TEST_SUITE(DBCRYPTO_TEST, DBFixture)
diff --git a/tests/test_lcov_certificate-impl.cpp b/tests/test_lcov_certificate-impl.cpp
new file mode 100644
index 0000000..56f89f7
--- /dev/null
+++ b/tests/test_lcov_certificate-impl.cpp
@@ -0,0 +1,89 @@
+#include <boost/test/unit_test.hpp>
+#include <test_common.h>
+
+#include <certificate-impl.h>
+#include <base64.h>
+#include <openssl/x509.h>
+
+#include <string>
+
+
+using namespace CKM;
+
+BOOST_AUTO_TEST_SUITE(CKM_CERTIFICATE_IMPL_TEST)
+
+
+BOOST_AUTO_TEST_CASE(CKM_CERTIFICATE_IMPL_TESTS) {
+ std::string certStr =
+ "MIIDOzCCAiOgAwIBAgIBADANBgkqhkiG9w0BAQUFADBYMRowGAYDVQQKDBFUaXpl\n"
+ "biBBc3NvY2lhdGlvbjEaMBgGA1UECwwRVGl6ZW4gQXNzb2NpYXRpb24xHjAcBgNV\n"
+ "BAMMFVRpemVuIERldmVsb3BlcnMgUm9vdDAeFw0xMjAxMDEwMDAwMDBaFw0zMjAx\n"
+ "MDEwMDAwMDBaMFgxGjAYBgNVBAoMEVRpemVuIEFzc29jaWF0aW9uMRowGAYDVQQL\n"
+ "DBFUaXplbiBBc3NvY2lhdGlvbjEeMBwGA1UEAwwVVGl6ZW4gRGV2ZWxvcGVycyBS\n"
+ "b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp2rCwXTYh28vcagX\n"
+ "WLIeVtEvXA5EeTR9UnL4Dzyd7hIq8rkxLbIMMOcCrXMTc7bEH2twFaTuXxyKXMW/\n"
+ "2c+id3m3Z1B5caCqwSPr72oKPSI4jSkvrAC5W7EHx16M818aG4tQkXIUBhDrtSmH\n"
+ "6dFOdt8zGq2fanj1sETfUmXAeLGE7OQYcEb2SoWGXR75Ytfp1LAw/L3luuG/kbzB\n"
+ "crZt1Cv05jfCP575eope6p5p80Gl0tieXyPYhSLVTLwhEdWx18CMaC7IXQo2Bm+J\n"
+ "djDH0Ruh/vTRnjFtmVB+nBOZNVzMHNOPUVFKSgysX/+PlM4jBTvbaTnPCZUkC/O7\n"
+ "5tYIpwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBw\n"
+ "95ibcuAiKpAEqBMyTZtOf0okhSi9NYfs/AFIPLH5REnhtQkPmKsvDp21OSdzrFEL\n"
+ "42rV94K98QChD9tGO6Mwp1ZHM3No7/PLC3EelOwmn4dr3KPGdjvQNSwKRblGh0Hj\n"
+ "n4fI+studFLLv6ldCLIpA/Ssgf9GuUbcjTC8OWBYPVUQ6YoXAcuHbfhr6a2IXRTj\n"
+ "lJUCt3qWyciP2H/R+oNBSjtlq13ZT+D9AQMmIG/5w1tK0HzDRhORfWlKCo5JKn0A\n"
+ "iQq2fwtoB0JQEHRKCKZYWghG41HuKc82xLf6H7x24XWOAlXb0SpvVENT1i89XNrj\n"
+ "XS4modIY545rYjI1amfL\n";
+
+ CertificateImpl cert(RawBuffer(certStr.begin(),certStr.end()), DataFormat::FORM_DER_BASE64);
+ X509* certX509 = cert.getX509();
+
+ CertificateImpl cert2(certX509, true);
+
+ CertificateImpl cert3(cert);
+ CertificateImpl cert4(CertificateImpl(cert));
+
+ CertificateImpl cert5 = cert;
+ CertificateImpl cert6 = CertificateImpl(cert);
+
+ KeyImpl::EvpShPtr certEvpShPtr = cert.getEvpShPtr();
+
+ KeyImpl keyImpl = cert.getKeyImpl();
+
+ std::string issuer = cert.getOneLine(CertificateFieldId::ISSUER);
+ std::string subject = cert.getOneLine(CertificateFieldId::SUBJECT);
+
+ std::string issuerCommonNameField = cert.getField(CertificateFieldId::ISSUER, NID_commonName);
+
+ std::string commonName = cert.getCommonName(CertificateFieldId::SUBJECT);
+ std::string country = cert.getCountryName(CertificateFieldId::SUBJECT);
+ std::string state = cert.getStateOrProvinceName(CertificateFieldId::SUBJECT);
+ std::string locality = cert.getLocalityName(CertificateFieldId::SUBJECT);
+ std::string organization = cert.getOrganizationName(CertificateFieldId::SUBJECT);
+ std::string ouName = cert.getOrganizationalUnitName(CertificateFieldId::SUBJECT);
+ std::string email = cert.getEmailAddres(CertificateFieldId::SUBJECT);
+ std::string ocspUrl = cert.getOCSPURL();
+}
+
+BOOST_AUTO_TEST_CASE(CKM_BASE64_TESTS) {
+ std::string origStr = "test data";
+ RawBuffer origBuffer(origStr.begin(), origStr.end());
+
+ Base64Encoder encoder;
+ encoder.reset();
+ encoder.append(origBuffer);
+ encoder.finalize();
+ RawBuffer base64 = encoder.get();
+
+ Base64Decoder decoder;
+ decoder.reset();
+ decoder.append(base64);
+ decoder.finalize();
+ RawBuffer decoded = decoder.get();
+
+ std::string decodedStr = std::string(decoded.begin(), decoded.end());
+
+ BOOST_REQUIRE_MESSAGE(origStr.compare(decodedStr) == 0, "Base64 encoding/decoding returned a wrong value");
+}
+
+
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/tests/test_lcov_ckmc-type-converter.cpp b/tests/test_lcov_ckmc-type-converter.cpp
new file mode 100644
index 0000000..642e43c
--- /dev/null
+++ b/tests/test_lcov_ckmc-type-converter.cpp
@@ -0,0 +1,215 @@
+#include <boost/test/unit_test.hpp>
+#include <test_common.h>
+
+#include <ckmc/ckmc-type.h>
+#include <ckmc-type-converter.h>
+
+
+#include <string>
+
+
+using namespace CKM;
+
+BOOST_AUTO_TEST_SUITE(CKMC_TYPE_CONVERTER_TEST)
+
+
+BOOST_AUTO_TEST_CASE(CKMC_TYPE_CONVERTER_to_ckm_error) {
+ int ckm_error = -1;
+
+ ckm_error = to_ckm_error(CKMC_ERROR_NONE);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_SUCCESS, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_SOCKET);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_SOCKET, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_BAD_REQUEST);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_BAD_REQUEST, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_BAD_RESPONSE);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_BAD_RESPONSE, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_SEND_FAILED);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_SEND_FAILED, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_RECV_FAILED);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_RECV_FAILED, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_AUTHENTICATION_FAILED);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_AUTHENTICATION_FAILED, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_INVALID_PARAMETER);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_INPUT_PARAM, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_BUFFER_TOO_SMALL);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_BUFFER_TOO_SMALL, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_OUT_OF_MEMORY);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_OUT_OF_MEMORY, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_PERMISSION_DENIED);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_ACCESS_DENIED, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_SERVER_ERROR);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_SERVER_ERROR, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_DB_LOCKED);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_DB_LOCKED, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_DB_ERROR);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_DB_ERROR, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_DB_ALIAS_EXISTS);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_DB_ALIAS_EXISTS, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_DB_ALIAS_UNKNOWN);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_DB_ALIAS_UNKNOWN, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_VERIFICATION_FAILED);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_VERIFICATION_FAILED, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_INVALID_FORMAT);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_INVALID_FORMAT, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_FILE_ACCESS_DENIED);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_FILE_ACCESS_DENIED, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_NOT_EXPORTABLE);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_NOT_EXPORTABLE, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_FILE_SYSTEM);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_FILE_SYSTEM, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_NOT_SUPPORTED);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_NOT_SUPPORTED, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(CKMC_ERROR_UNKNOWN);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_UNKNOWN, "invalid ckm error returned");
+
+ ckm_error = to_ckm_error(-99999);
+ BOOST_REQUIRE_MESSAGE( ckm_error == CKM_API_ERROR_UNKNOWN, "invalid ckm error returned");
+}
+
+
+BOOST_AUTO_TEST_CASE(CKMC_TYPE_CONVERTER_to_ckmc_error) {
+ int ckmc_error = -1;
+
+ ckmc_error = to_ckmc_error(CKM_API_SUCCESS);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_NONE, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_SOCKET);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_SOCKET, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_BAD_REQUEST);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_BAD_REQUEST, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_BAD_RESPONSE);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_BAD_RESPONSE, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_SEND_FAILED);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_SEND_FAILED, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_RECV_FAILED);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_RECV_FAILED, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_AUTHENTICATION_FAILED);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_AUTHENTICATION_FAILED, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_INPUT_PARAM);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_INVALID_PARAMETER, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_BUFFER_TOO_SMALL);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_BUFFER_TOO_SMALL, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_OUT_OF_MEMORY);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_OUT_OF_MEMORY, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_ACCESS_DENIED);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_PERMISSION_DENIED, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_SERVER_ERROR);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_SERVER_ERROR, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_DB_LOCKED);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_DB_LOCKED, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_DB_ERROR);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_DB_ERROR, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_DB_ALIAS_EXISTS);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_DB_ALIAS_EXISTS, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_DB_ALIAS_UNKNOWN);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_DB_ALIAS_UNKNOWN, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_VERIFICATION_FAILED);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_VERIFICATION_FAILED, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_INVALID_FORMAT);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_INVALID_FORMAT, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_FILE_ACCESS_DENIED);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_FILE_ACCESS_DENIED, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_NOT_EXPORTABLE);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_NOT_EXPORTABLE, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_FILE_SYSTEM);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_FILE_SYSTEM, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_NOT_SUPPORTED);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_NOT_SUPPORTED, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(CKM_API_ERROR_UNKNOWN);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_UNKNOWN, "invalid ckmc error returned");
+
+ ckmc_error = to_ckmc_error(-9999);
+ BOOST_REQUIRE_MESSAGE( ckmc_error == CKMC_ERROR_UNKNOWN, "invalid ckmc error returned");
+}
+
+BOOST_AUTO_TEST_CASE(CKMC_TYPE_CONVERTER_to_ckmc_ocsp_status) {
+ int ckmc_ocsp= -1;
+
+ ckmc_ocsp = to_ckmc_ocsp_status(CKM_API_OCSP_STATUS_GOOD);
+ BOOST_REQUIRE_MESSAGE( ckmc_ocsp == CKMC_OCSP_STATUS_GOOD, "invalid ckmc ocsp status returned");
+
+ ckmc_ocsp = to_ckmc_ocsp_status(CKM_API_OCSP_STATUS_UNSUPPORTED);
+ BOOST_REQUIRE_MESSAGE( ckmc_ocsp == CKMC_OCSP_ERROR_UNSUPPORTED, "invalid ckmc ocsp status returned");
+
+ ckmc_ocsp = to_ckmc_ocsp_status(CKM_API_OCSP_STATUS_REVOKED);
+ BOOST_REQUIRE_MESSAGE( ckmc_ocsp == CKMC_OCSP_STATUS_REVOKED, "invalid ckmc ocsp status returned");
+
+ ckmc_ocsp = to_ckmc_ocsp_status(CKM_API_OCSP_STATUS_NET_ERROR);
+ BOOST_REQUIRE_MESSAGE( ckmc_ocsp == CKMC_OCSP_ERROR_NET, "invalid ckmc ocsp status returned");
+
+ ckmc_ocsp = to_ckmc_ocsp_status(CKM_API_OCSP_STATUS_INVALID_URL);
+ BOOST_REQUIRE_MESSAGE( ckmc_ocsp == CKMC_OCSP_ERROR_INVALID_URL, "invalid ckmc ocsp status returned");
+
+ ckmc_ocsp = to_ckmc_ocsp_status(CKM_API_OCSP_STATUS_INVALID_RESPONSE);
+ BOOST_REQUIRE_MESSAGE( ckmc_ocsp == CKMC_OCSP_ERROR_INVALID_RESPONSE, "invalid ckmc ocsp status returned");
+
+ ckmc_ocsp = to_ckmc_ocsp_status(CKM_API_OCSP_STATUS_REMOTE_ERROR);
+ BOOST_REQUIRE_MESSAGE( ckmc_ocsp == CKMC_OCSP_ERROR_REMOTE, "invalid ckmc ocsp status returned");
+
+ ckmc_ocsp = to_ckmc_ocsp_status(CKM_API_OCSP_STATUS_INTERNAL_ERROR);
+ BOOST_REQUIRE_MESSAGE( ckmc_ocsp == CKMC_OCSP_ERROR_INTERNAL, "invalid ckmc ocsp status returned");
+
+ ckmc_ocsp = to_ckmc_ocsp_status(-9999);
+ BOOST_REQUIRE_MESSAGE( ckmc_ocsp == CKMC_OCSP_STATUS_UNKNOWN, "invalid ckmc ocsp status returned");
+}
+
+
+BOOST_AUTO_TEST_CASE(CKMC_TYPE_CONVERTER_to_permission_mask) {
+ int ret = -1;
+ int permissionMask = -1;
+
+ ret = access_to_permission_mask(CKMC_AR_READ, permissionMask);
+ BOOST_REQUIRE_MESSAGE( ret == CKMC_ERROR_NONE , "error returned");
+ BOOST_REQUIRE_MESSAGE( permissionMask == CKMC_PERMISSION_READ, "invalid permission mask returned");
+
+ ret = access_to_permission_mask(CKMC_AR_READ_REMOVE, permissionMask);
+ BOOST_REQUIRE_MESSAGE( ret == CKMC_ERROR_NONE , "error returned");
+ BOOST_REQUIRE_MESSAGE( permissionMask == (CKMC_PERMISSION_READ | CKMC_PERMISSION_REMOVE),
+ "invalid permission mask returned");
+}
+
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/tests/test_lcov_client-error.cpp b/tests/test_lcov_client-error.cpp
new file mode 100644
index 0000000..36cc2bf
--- /dev/null
+++ b/tests/test_lcov_client-error.cpp
@@ -0,0 +1,89 @@
+#include <boost/test/unit_test.hpp>
+#include <test_common.h>
+
+#include <ckm/ckm-type.h>
+#include <ckm/ckm-error.h>
+
+#include <string>
+
+
+using namespace CKM;
+
+BOOST_AUTO_TEST_SUITE(CKM_ERROR_TEST)
+
+
+BOOST_AUTO_TEST_CASE(CKM_ERROR_ErrorToString) {
+ std::string errString;
+
+ errString = std::string(ErrorToString(CKM_API_SUCCESS));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_SUCCESS") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_SOCKET));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_SOCKET") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_BAD_REQUEST));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_BAD_REQUEST") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_BAD_RESPONSE));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_BAD_RESPONSE") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_SEND_FAILED));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_SEND_FAILED") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_RECV_FAILED));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_RECV_FAILED") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_AUTHENTICATION_FAILED));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_AUTHENTICATION_FAILED") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_INPUT_PARAM));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_INPUT_PARAM") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_BUFFER_TOO_SMALL));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_BUFFER_TOO_SMALL") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_OUT_OF_MEMORY));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_OUT_OF_MEMORY") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_ACCESS_DENIED));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_ACCESS_DENIED") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_SERVER_ERROR));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_SERVER_ERROR") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_DB_LOCKED));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_DB_LOCKED") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_DB_ERROR));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_DB_ERROR") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_DB_ALIAS_EXISTS));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_DB_ALIAS_EXISTS") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_DB_ALIAS_UNKNOWN));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_DB_ALIAS_UNKNOWN") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_VERIFICATION_FAILED));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_VERIFICATION_FAILED") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_INVALID_FORMAT));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_INVALID_FORMAT") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_FILE_ACCESS_DENIED));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_FILE_ACCESS_DENIED") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_NOT_EXPORTABLE));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_NOT_EXPORTABLE") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_FILE_SYSTEM));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_FILE_SYSTEM") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(CKM_API_ERROR_UNKNOWN));
+ BOOST_REQUIRE_MESSAGE(errString.compare("CKM_API_ERROR_UNKNOWN") == 0, "Invalid Error String");
+
+ errString = std::string(ErrorToString(-99999));
+ BOOST_REQUIRE_MESSAGE(errString.compare("Error not defined") == 0, "Invalid Error String");
+}
+
+
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/tests/test_lcov_key-impl.cpp b/tests/test_lcov_key-impl.cpp
new file mode 100644
index 0000000..c72421d
--- /dev/null
+++ b/tests/test_lcov_key-impl.cpp
@@ -0,0 +1,43 @@
+#include <boost/test/unit_test.hpp>
+#include <test_common.h>
+
+#include <key-impl.h>
+#include <ckm/ckm-type.h>
+
+#include <string>
+
+
+using namespace CKM;
+
+BOOST_AUTO_TEST_SUITE(CKM_KEY_IMPL_TEST)
+
+
+BOOST_AUTO_TEST_CASE(CKM_KEY_IMPL_TESTS) {
+
+ std::string keyPem = "-----BEGIN PUBLIC KEY-----\n"
+ "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2b1bXDa+S8/MGWnMkru4\n"
+ "T4tUddtZNi0NVjQn9RFH1NMa220GsRhRO56F77FlSVFKfSfVZKIiWg6C+DVCkcLf\n"
+ "zXJ/Z0pvwOQYBAqVMFjV6efQGN0JzJ1Unu7pPRiZl7RKGEI+cyzzrcDyrLLrQ2W7\n"
+ "0ZySkNEOv6Frx9JgC5NExuYY4lk2fQQa38JXiZkfyzif2em0px7mXbyf5LjccsKq\n"
+ "v1e+XLtMsL0ZefRcqsP++NzQAI8fKX7WBT+qK0HJDLiHrKOTWYzx6CwJ66LD/vvf\n"
+ "j55xtsKDLVDbsotvf8/m6VLMab+vqKk11TP4tq6yo0mwyTADvgl1zowQEO9I1W6o\n"
+ "zQIDAQAB\n"
+ "-----END PUBLIC KEY-----";
+
+ CKM::RawBuffer buffer(keyPem.begin(), keyPem.end());
+ KeyImpl key(buffer, CKM::Password());
+
+ KeyImpl key2(key);
+ KeyImpl key3 = key2;
+
+ KeyImpl::EvpShPtr keyEvpShPtr = key3.getEvpShPtr();
+ ElipticCurve curve = key.getCurve();
+ int size = key.getSize();
+
+ BOOST_REQUIRE_MESSAGE(keyEvpShPtr != NULL, "Null Key Pointer");
+ BOOST_REQUIRE_MESSAGE(curve == ElipticCurve::prime192v1, "Invalid Curve");
+ BOOST_REQUIRE_MESSAGE(size >= 0, "Invalid Key Size");
+}
+
+
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/tools/ckm_so_loader.cpp b/tools/ckm_so_loader.cpp
index a39adb6..2af4d06 100644
--- a/tools/ckm_so_loader.cpp
+++ b/tools/ckm_so_loader.cpp
@@ -94,12 +94,27 @@ int main(int argc, char* argv[])
string so_path(argv[3]);
string symbol(argv[4]);
+ /*
+ * perform sanity check of user input string
+ * which will be used for dlopen
+ */
+ if (so_path.compare(so_path.size() - 3, 3, ".so")
+ && so_path.compare(so_path.size() - 5, 3, ".so")
+ && so_path.compare(so_path.size() - 9, 3, ".so")) {
+ cerr << "[" << so_path << "] doesn't has .so postfix." << endl;
+ return -1;
+ }
+ if (access(so_path.c_str(), R_OK)) {
+ cerr << "cannot read [" << so_path << "]" << endl;
+ return -1;
+ }
+
cout << "dlopen[us];dlsym[us]" << endl;
for (int cnt = 0 ; cnt < repeats; cnt++)
{
/*
- * It has to be a different process each time. Glibc somehow caches the library information
- * and consecutive calls are faster
+ * It has to be a different process each time. Glibc somehow caches the library information
+ * and consecutive calls are faster
*/
pid_t pid = fork();
if (pid < 0) {