diff options
author | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2014-05-27 17:06:04 +0200 |
---|---|---|
committer | Gerrit Code Review <gerrit2@localhost> | 2014-05-30 18:22:56 +0900 |
commit | 60bb8352d2e02a5872787a742975870365bac784 (patch) | |
tree | e944748eb4cfb44a3585a79a98dd8e11d520315b | |
parent | 8f4ef2f2d4ab987849b18e47adfe503e7703d7b2 (diff) | |
download | key-manager-60bb8352d2e02a5872787a742975870365bac784.tar.gz key-manager-60bb8352d2e02a5872787a742975870365bac784.tar.bz2 key-manager-60bb8352d2e02a5872787a742975870365bac784.zip |
Add service for control operations.
Change-Id: I3e33a962cbeddab29b9dcb61096e5896a2cc8946
21 files changed, 573 insertions, 130 deletions
diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index ba80570c..a82f2468 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -71,8 +71,10 @@ mkdir -p %{buildroot}/etc/security/ mkdir -p %{buildroot}/usr/lib/systemd/system/multi-user.target.wants mkdir -p %{buildroot}/usr/lib/systemd/system/sockets.target.wants -ln -s ../key-manager.service %{buildroot}/usr/lib/systemd/system/multi-user.target.wants/key-manager.service -ln -s ../key-manager-echo.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/key-manager-echo.socket +ln -s ../central-key-manager.service %{buildroot}/usr/lib/systemd/system/multi-user.target.wants/central-key-manager.service +ln -s ../central-key-manager-echo.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/central-key-manager-echo.socket +ln -s ../central-key-manager-api-control.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/central-key-manager-api-control.socket +ln -s ../central-key-manager-api-storage.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/central-key-manager-api-storage.socket %clean rm -rf %{buildroot} @@ -110,11 +112,15 @@ fi %manifest %{_datadir}/key-manager.manifest %attr(755,root,root) /usr/bin/key-manager %{_libdir}/libkey-manager-commons.so.* -%attr(-,root,root) /usr/lib/systemd/system/multi-user.target.wants/key-manager.service -%attr(-,root,root) /usr/lib/systemd/system/key-manager.service -%attr(-,root,root) /usr/lib/systemd/system/key-manager.target -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/key-manager-echo.socket -%attr(-,root,root) /usr/lib/systemd/system/key-manager-echo.socket +%attr(-,root,root) /usr/lib/systemd/system/multi-user.target.wants/central-key-manager.service +%attr(-,root,root) /usr/lib/systemd/system/central-key-manager.service +%attr(-,root,root) /usr/lib/systemd/system/central-key-manager.target +%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/central-key-manager-echo.socket +%attr(-,root,root) /usr/lib/systemd/system/central-key-manager-echo.socket +%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/central-key-manager-api-control.socket +%attr(-,root,root) /usr/lib/systemd/system/central-key-manager-api-control.socket +%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/central-key-manager-api-storage.socket +%attr(-,root,root) /usr/lib/systemd/system/central-key-manager-api-storage.socket %{_datadir}/license/%{name} %files -n libkey-manager-client diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 3e9f03e6..55032989 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -15,6 +15,8 @@ SET(KEY_MANAGER_SOURCES ${KEY_MANAGER_PATH}/main/socket-manager.cpp ${KEY_MANAGER_PATH}/main/key-manager-main.cpp ${KEY_MANAGER_PATH}/service/echo.cpp + ${KEY_MANAGER_PATH}/service/ckm-service.cpp + ${KEY_MANAGER_PATH}/service/ckm-logic.cpp ) SET_SOURCE_FILES_PROPERTIES( @@ -59,6 +61,7 @@ INCLUDE_DIRECTORIES( SET(KEY_MANAGER_CLIENT_SOURCES ${KEY_MANAGER_CLIENT_SRC_PATH}/client-common.cpp ${KEY_MANAGER_CLIENT_SRC_PATH}/client-echo.cpp + ${KEY_MANAGER_CLIENT_SRC_PATH}/client-control.cpp ) ADD_LIBRARY(${TARGET_KEY_MANAGER_CLIENT} SHARED ${KEY_MANAGER_CLIENT_SOURCES}) diff --git a/src/include/ckm/key-manager.h b/src/include/ckm/key-manager.h index 381289a7..2a0270dc 100644 --- a/src/include/ckm/key-manager.h +++ b/src/include/ckm/key-manager.h @@ -15,9 +15,10 @@ typedef std::string Alias; typedef std::vector<Alias> AliasVector; struct Policy { - Policy(const RawData &pass = RawData(), bool extract = true, bool restrict = false) - : extractable(extract) - , restricted(restrict) + Policy(const RawData &pass = RawData(), bool extract = true, bool rest = false) + : password(pass) + , extractable(extract) + , restricted(rest) {} RawData password; // byte array used to encrypt data inside CKM bool extractable; // if true key may be extracted from storage @@ -26,32 +27,35 @@ struct Policy { // used by login manager to unlock user data with global password // [CR] too generic name for class. maybe UserDataControl? -// It's in name space KeyStore so I don't see any problem but +// It's in name space KeyStore so I don't see any problem but class Control { public: + Control(); // decrypt user key with password int unlockUserKey(const std::string &user, const RawData &password) const; // remove user key from memory - void lockUserKey(const std::string &user); + int lockUserKey(const std::string &user) const; // remove user data from Store and erase key used for encryption - void removeUserData(const std::string &user); + int removeUserData(const std::string &user) const; // change password for user int changeUserPassword(const std::string &user, const RawData &oldPassword, const RawData &newPassword) const; - + // This is work around for security-server api - resetPassword that may be called without passing oldPassword. // This api should not be supported on tizen 3.0 // User must be already logged in and his DKEK is already loaded into memory in plain text form. // The service will use DKEK in plain text and encrypt it in encrypted form (using new password). int resetUserPassword(const std::string &user, const RawData &newPassword) const; + + virtual ~Control(); private: class ControlImpl; std::shared_ptr<ControlImpl> m_impl; }; - +/* class Key { public: // [CR] (just asking): is there any AES private/public? @@ -69,7 +73,7 @@ public: prime192v1 // TODO } - + enum class Format : unsigned int { PEM, DER }; @@ -92,7 +96,7 @@ public: // key size in bits RSA specific int getSize() const; - + // Eliptic curve type ECType getCurve() const; @@ -121,7 +125,7 @@ public: Certificate(Certificate &&certificate); Certificate& operator=(const Certificate &certificate); Certificate& operator=(Certificate &&certificate); - + bool empty() const; Key getKey() const; @@ -154,14 +158,14 @@ public: Pkcs12(Pkcs12 &&pkcs); Pkcs12& operator=(const Pkcs12 &pkcs); Pkcs12& operator=(Pkcs12 &&pkcs); - + Key getKey(const RawData &password = RawData()); Certificate getCertificate(); // this is connected with Key - + // check the API in openssl and translate it 1 to 1. - + CertificateVector getCertificateVector(); - + bool empty(); virtual ~Pkcs12(); private: @@ -213,7 +217,7 @@ public: const Alias &publicKeyAlias, const Policy &policyPrivateKey = Policy(), const Policy &policyPublicKey = Policy()); - + int createSignature( const Alias &privateKeyAlias, const RawData &password, // password for private_key @@ -221,7 +225,7 @@ public: const HashAlgorith hash, TODO Padding, RawData &signature); - + int verifySignature( const Alias &publicKeyOrCertAlias, const RawData &password, // password for public_key (optional) @@ -229,24 +233,24 @@ public: const RawData &signature, const HashAlgorithm, TODO Padding); - + // this fuction will return chains of certificates and check it with openssl // status : OK, INCOMPLETE_CHAIN, VERIFICATION_FAILED int getCertiticateChain( const Certificate &certificate, const CertificateVector &untrustedCertificates, CertificateVector &certificateChainVector); - + int getCertificateChain( const Certificate &certificate, const AliasVector &untrustedCertificates, CertificateVector &certificateChainVector); - + int strictCACheck(const CertificateVector &certificateVector); // This function will check all certificates in chain except Root CA. int ocspCheck(const CertificateVector &certificateChainVector); - + private: class ManagerImpl; std::shared_ptr<ManagerSyncImpl> m_impl; @@ -295,11 +299,11 @@ public: // TODO: describe status // Do we need some chain of the certificate? virtual void ReceivedVerifyCertificate() {} - + virtual void ReceivedGetCertiticateChain(CertificateVector &&certificateVector) {} virtual void ReceivedStrictCACheck(); virtual void ReceivedOCSPCheck(); - + virtual ~Observer() {} }; @@ -359,16 +363,16 @@ public: void getCertiticateChain( const Certificate &certificate, const CertificateVector &untrustedCertificates); - + void getCertificateChain( const Certificate &certificate, const AliasVector &untrustedCertificates); - + void strictCACheck(const CertificateVector &certificateVector); // This function will check all certificates in chain except Root CA. void ocspCheck(const CertificateVector &certificateChainVector); - + private: ConnectionAsyncImpl *m_impl; }; @@ -383,6 +387,7 @@ public: ManagerAsyncThread& operator=(ConnectionAsyncThread &&); virtual ~ConnectionAsyncThread() {} }; +*/ // Out of scope /* class ManagerAsyncNoThread : public ManagerAsync { diff --git a/src/manager/client/Control.cpp b/src/manager/client/client-control.cpp index f22b618f..2de55d3a 100644 --- a/src/manager/client/Control.cpp +++ b/src/manager/client/client-control.cpp @@ -1,5 +1,28 @@ -#include <message-buffer.h> +/* + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Contact: Bumjin Im <bj.im@samsung.com> + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + * @file client-common.cpp + * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + * @brief This file is implementation of client-common functions. + */ #include <client-common.h> +#include <message-buffer.h> +#include <protocols.h> #include <ckm/key-manager.h> @@ -7,13 +30,13 @@ namespace CKM { class Control::ControlImpl { public: - Control(){} - Control(const Control &) = delete; - Control(Control &&) = delete; - Control& operator=(const Control &) = delete; - Control& operator=(Control &&) = delete; + ControlImpl(){} + ControlImpl(const ControlImpl &) = delete; + ControlImpl(ControlImpl &&) = delete; + ControlImpl& operator=(const ControlImpl &) = delete; + ControlImpl& operator=(ControlImpl &&) = delete; - static int unlockUserKey(const std::string &user, const RawData &password) const { + static int unlockUserKey(const std::string &user, const RawData &password) { return try_catch([&] { if (user.empty()) return KEY_MANAGER_API_ERROR_INPUT_PARAM; @@ -24,7 +47,7 @@ public: Serialization::Serialize(send, password); int retCode = sendToServer( - SERVICE_SOCKET_CONTROL, + SERVICE_SOCKET_CKM_CONTROL, send.Pop(), recv); @@ -38,7 +61,7 @@ public: }); } - static int lockUserKey(const std::string &user) const { + static int lockUserKey(const std::string &user) { return try_catch([&] { if (user.empty()) return KEY_MANAGER_API_ERROR_INPUT_PARAM; @@ -48,7 +71,7 @@ public: Serialization::Serialize(send, user); int retCode = sendToServer( - SERVICE_SOCKET_CONTROL, + SERVICE_SOCKET_CKM_CONTROL, send.Pop(), recv); @@ -62,7 +85,7 @@ public: }); } - static int removeUserData(const std::string &user) const { + static int removeUserData(const std::string &user) { return try_catch([&] { if (user.empty()) return KEY_MANAGER_API_ERROR_INPUT_PARAM; @@ -72,7 +95,7 @@ public: Serialization::Serialize(send, user); int retCode = sendToServer( - SERVICE_SOCKET_CONTROL, + SERVICE_SOCKET_CKM_CONTROL, send.Pop(), recv); @@ -86,7 +109,7 @@ public: }); } - static int checkUserPassword(const std::string &user, const RawData &oldPassword, const RawData &newPassword) const { + static int changeUserPassword(const std::string &user, const RawData &oldPassword, const RawData &newPassword) { return try_catch([&] { if (user.empty()) return KEY_MANAGER_API_ERROR_INPUT_PARAM; @@ -98,7 +121,7 @@ public: Serialization::Serialize(send, newPassword); int retCode = sendToServer( - SERVICE_SOCKET_CONTROL, + SERVICE_SOCKET_CKM_CONTROL, send.Pop(), recv); @@ -112,7 +135,7 @@ public: }); } - static int resetUserPassword(const std::string &user, const RawData &newPassword) const { + static int resetUserPassword(const std::string &user, const RawData &newPassword) { return try_catch([&] { if (user.empty()) return KEY_MANAGER_API_ERROR_INPUT_PARAM; @@ -123,7 +146,7 @@ public: Serialization::Serialize(send, newPassword); int retCode = sendToServer( - SERVICE_SOCKET_CONTROL, + SERVICE_SOCKET_CKM_CONTROL, send.Pop(), recv); @@ -137,9 +160,15 @@ public: }); } - virtual ~Control(){} + virtual ~ControlImpl(){} }; +Control::Control() + : m_impl(new ControlImpl) +{} + +Control::~Control(){} + int Control::unlockUserKey(const std::string &user, const RawData &password) const { return m_impl->unlockUserKey(user, password); } @@ -160,5 +189,5 @@ int Control::resetUserPassword(const std::string &user, const RawData &newPasswo return m_impl->resetUserPassword(user, newPassword); } -} +} // namespace CKM diff --git a/src/manager/common/protocols.cpp b/src/manager/common/protocols.cpp index a8ec3642..d2006561 100644 --- a/src/manager/common/protocols.cpp +++ b/src/manager/common/protocols.cpp @@ -14,8 +14,7 @@ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License - */ -/* + * * @file protocols.cpp * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) * @author Zofia Abramowska (z.abramowska@samsung.com) @@ -27,7 +26,9 @@ namespace CKM { - char const * const SERVICE_SOCKET_ECHO = - "/tmp/.key-manager-api-echo.sock"; +char const * const SERVICE_SOCKET_ECHO = "/tmp/.central-key-manager-echo.sock"; +char const * const SERVICE_SOCKET_CKM_CONTROL = "/tmp/.central-key-manager-api-control.sock"; +char const * const SERVICE_SOCKET_CKM_STORAGE = "/tmp/.central-key-manager-api-storage.sock"; + } // namespace CKM diff --git a/src/manager/common/protocols.h b/src/manager/common/protocols.h index 08734dcf..d87e5685 100644 --- a/src/manager/common/protocols.h +++ b/src/manager/common/protocols.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * * Contact: Bumjin Im <bj.im@samsung.com> * @@ -14,8 +14,7 @@ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License - */ -/* + * * @file protocols.h * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) * @author Zofia Abramowska (z.abramowska@samsung.com) @@ -23,15 +22,21 @@ * @brief This file contains list of all protocols suported by Central * Key Manager. */ - -#ifndef _CENT_KEY_MNG_PROTOCOLS_ -#define _CENT_KEY_MNG_PROTOCOLS_ +#pragma once namespace CKM { - extern char const * const SERVICE_SOCKET_ECHO; +extern char const * const SERVICE_SOCKET_ECHO; +extern char const * const SERVICE_SOCKET_CKM_CONTROL; +extern char const * const SERVICE_SOCKET_CKM_STORAGE; -} // namespace CKM +enum class ControlCommand : int { + UNLOCK_USER_KEY, + LOCK_USER_KEY, + REMOVE_USER_DATA, + CHANGE_USER_PASSWORD, + RESET_USER_PASSWORD +}; -#endif // _CENT_KEY_MNG_PROTOCOLS_ +} // namespace CKM diff --git a/src/manager/main/key-manager-main.cpp b/src/manager/main/key-manager-main.cpp index 59bd37ad..ad4e3e16 100644 --- a/src/manager/main/key-manager-main.cpp +++ b/src/manager/main/key-manager-main.cpp @@ -1,7 +1,5 @@ /* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im <bj.im@samsung.com> + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,10 +14,10 @@ * limitations under the License */ /* - * @file sever2-main.cpp + * @file key-manager-main.cpp * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) * @version 1.0 - * @brief Implementation of security-server2 + * @brief Implementation of central key manager */ #include <stdlib.h> #include <signal.h> @@ -31,6 +29,7 @@ #include <socket-manager.h> #include <echo.h> +#include <ckm-service.h> IMPLEMENT_SAFE_SINGLETON(CKM::Log::LogSystem); @@ -78,9 +77,8 @@ int main(void) { LogInfo("Start!"); CKM::SocketManager manager; - auto echoService = new CKM::EchoService; - echoService->Create(); - manager.RegisterSocketService(echoService); + REGISTER_SOCKET_SERVICE(manager, CKM::EchoService); + REGISTER_SOCKET_SERVICE(manager, CKM::CKMService); manager.MainLoop(); } diff --git a/src/manager/service/KeyProvider.h b/src/manager/service/KeyProvider.h deleted file mode 100644 index 4c559000..00000000 --- a/src/manager/service/KeyProvider.h +++ /dev/null @@ -1,54 +0,0 @@ -#pragma once
-
-struct KeyMaterial;
-
-namespace CKM {
-
-// typedef std::vector<unsigned char> RawData; this must be defined in common header.
-
-// This is internal api so all functions should throw exception on errors.
-
-
-class KeyProvider {
- // In constructor you must check if SKMM is initialized. On error -> exception
- // keyInWrapForm should be used like this:
- // if (keyInWrapForm.size() != sizeof(WrappedKeyMaterial))
- // throw exception; // buffer does not have proper size to store WrappedKeyMaterial
- // WrappedKeyMaterial *wkm = static_cast<WrappedKeyMaterial>(keyInWrapForm.data());
- KeyProvider(const RawData &domainKEKInWrapForm, const RawData &password);
-
- // Returns Key used to decrypt database.
- KeyAES getDomainKEK();
-
- // Returns Key in form used to store key in file
- // Requied by Control::resetPassword(const RawData &newPassword);
- // This api should be used only on Tizen 2.2.1
- RawData getDomainKEK(const std::string &password);
-
- // EncryptedKey key extracted from database. Used to encrypt application data.
- // This key will be used to decrypt/encrypt data in ROW
- KeyAES decryptDEK(const RawData &encrypedDEKInWrapForm);
-
- // Returns WRAPPED DEK. This will be written to datbase.
- // This key will be used to encrypt all application information.
- // All application are identified by smackLabel.
- RawData generateDEK(const std::string &smackLabel);
-
- // used by change user password. On error -> exception
- static RawData reencrypt(const RawData &domainKEKInWrapForm, const RawData &oldPass, const RawData &newPass);
-
- // First run of application for some user. DomainKEK was not created yet. We must create one.
- // This key will be used to encrypt user database.
- static RawData generateDomainKEK(const std::string &user, const RawData &userPassword);
-
- // This will be called by framework at the begin of the program
- static initializeLibrary();
- // This will be called by framework at the end of the program
- static closeLibrary();
-
- virtual ~KeyProvider();
-private:
- KeyMaterial* m_dkek;
-};
-
-} // namespace CKM
\ No newline at end of file diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp new file mode 100644 index 00000000..8609a876 --- /dev/null +++ b/src/manager/service/ckm-logic.cpp @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + * + * @file ckm-logic.cpp + * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + * @brief Sample service implementation. + */ +#include <ckm-logic.h> + +namespace CKM { + +CKMLogic::CKMLogic(){} +CKMLogic::~CKMLogic(){} + +RawBuffer CKMLogic::unlockUserKey(const std::string &user, const RawBuffer &password) { + (void)user; + (void)password; + return RawBuffer(); +} + +RawBuffer CKMLogic::lockUserKey(const std::string &user) { + (void)user; + return RawBuffer(); +} + +RawBuffer CKMLogic::removeUserData(const std::string &user) { + (void)user; + return RawBuffer(); +} + +RawBuffer CKMLogic::changeUserPassword( + const std::string &user, + const RawBuffer &oldPassword, + const RawBuffer &newPassword) +{ + (void)user; + (void)oldPassword; + (void)newPassword; + return RawBuffer(); +} + +RawBuffer CKMLogic::resetUserPassword( + const std::string &user, + const RawBuffer &newPassword) +{ + (void)user; + (void)newPassword; + return RawBuffer(); +} + +} // namespace CKM + diff --git a/src/manager/service/ckm-logic.h b/src/manager/service/ckm-logic.h new file mode 100644 index 00000000..657dab36 --- /dev/null +++ b/src/manager/service/ckm-logic.h @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + * + * @file ckm-logic.h + * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + * @brief Sample service implementation. + */ +#pragma once + +#include <string> +#include <vector> +#include <message-buffer.h> + +namespace CKM { + +class CKMLogic { +public: + CKMLogic(); + CKMLogic(const CKMLogic &) = delete; + CKMLogic(CKMLogic &&) = delete; + CKMLogic& operator=(const CKMLogic &) = delete; + CKMLogic& operator=(CKMLogic &&) = delete; + virtual ~CKMLogic(); + + RawBuffer unlockUserKey(const std::string &user, const RawBuffer &password); + + RawBuffer lockUserKey(const std::string &user); + + RawBuffer removeUserData(const std::string &user); + + RawBuffer changeUserPassword( + const std::string &user, + const RawBuffer &oldPassword, + const RawBuffer &newPassword); + + RawBuffer resetUserPassword( + const std::string &user, + const RawBuffer &newPassword); +private: + +}; + +} // namespace CKM + diff --git a/src/manager/service/ckm-service.cpp b/src/manager/service/ckm-service.cpp new file mode 100644 index 00000000..b58349ee --- /dev/null +++ b/src/manager/service/ckm-service.cpp @@ -0,0 +1,149 @@ +/* + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + * + * @file ckm-service.h + * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + * @brief Sample service implementation. + */ +#include <service-thread.h> +#include <generic-socket-manager.h> +#include <connection-info.h> +#include <message-buffer.h> +#include <protocols.h> + +#include <dpl/serialization.h> +#include <dpl/log/log.h> + +#include <ckm-service.h> +#include <ckm-logic.h> + +namespace { +const CKM::InterfaceID SOCKET_ID_CONTROL = 0; +const CKM::InterfaceID SOCKET_ID_STORAGE = 1; +} // namespace anonymous + +namespace CKM { + +CKMService::CKMService() + : m_logic(new CKMLogic) +{} + +CKMService::~CKMService() { + delete m_logic; +} + +GenericSocketService::ServiceDescriptionVector CKMService::GetServiceDescription() +{ + return ServiceDescriptionVector { + {SERVICE_SOCKET_CKM_CONTROL, "ckm::api-control", SOCKET_ID_CONTROL}, + {SERVICE_SOCKET_CKM_STORAGE, "ckm::api-storage", SOCKET_ID_STORAGE} + }; +} + +void CKMService::accept(const AcceptEvent &event) { + LogDebug("Accept event"); + auto &info = m_connectionInfoMap[event.connectionID.counter]; + info.interfaceID = event.interfaceID; +} + +void CKMService::write(const WriteEvent &event) { + LogDebug("Write event (" << event.size << " bytes)"); +} + +void CKMService::process(const ReadEvent &event) { + LogDebug("Read event"); + auto &info = m_connectionInfoMap[event.connectionID.counter]; + info.buffer.Push(event.rawBuffer); + while(processOne(event.connectionID, info.buffer, info.interfaceID)); +} + +bool CKMService::processOne( + const ConnectionID &conn, + MessageBuffer &buffer, + InterfaceID interfaceID) +{ + LogDebug ("process One"); + RawBuffer response; + + Try { + if (!buffer.Ready()) + return false; + + if (interfaceID == SOCKET_ID_CONTROL) + response = processControl(buffer); + else + response = processStorage(conn, buffer); + + m_serviceManager->Write(conn, response); + + return true; + } Catch (MessageBuffer::Exception::Base) { + LogError("Broken protocol. Closing socket."); + } catch (...) { + LogError("Unknown exception. Closing socket."); + } + + m_serviceManager->Close(conn); + return false; +} + +RawBuffer CKMService::processControl(MessageBuffer &buffer) { + int command; + std::string user; + ControlCommand cc; + RawBuffer newPass, oldPass; + + Deserialization::Deserialize(buffer, command); + Deserialization::Deserialize(buffer, user); + + cc = static_cast<ControlCommand>(command); + + switch(cc) { + case ControlCommand::UNLOCK_USER_KEY: + Deserialization::Deserialize(buffer, newPass); + return m_logic->unlockUserKey(user, newPass); + case ControlCommand::LOCK_USER_KEY: + return m_logic->lockUserKey(user); + case ControlCommand::REMOVE_USER_DATA: + return m_logic->removeUserData(user); + case ControlCommand::CHANGE_USER_PASSWORD: + Deserialization::Deserialize(buffer, oldPass); + Deserialization::Deserialize(buffer, newPass); + return m_logic->changeUserPassword(user, oldPass, newPass); + case ControlCommand::RESET_USER_PASSWORD: + Deserialization::Deserialize(buffer, newPass); + return m_logic->resetUserPassword(user, newPass); + default: + // TODO + throw 1; // broken protocol + } +} + +RawBuffer CKMService::processStorage(const ConnectionID &conn, MessageBuffer &buffer){ + (void)conn; + (void)buffer; + return RawBuffer(); +} + + +void CKMService::close(const CloseEvent &event) { + LogDebug("Close event"); + m_connectionInfoMap.erase(event.connectionID.counter); +} + +} // namespace CKM + diff --git a/src/manager/service/ckm-service.h b/src/manager/service/ckm-service.h new file mode 100644 index 00000000..2c7a66a0 --- /dev/null +++ b/src/manager/service/ckm-service.h @@ -0,0 +1,74 @@ +/* + * Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + * + * + * @file ckm-service.h + * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @version 1.0 + * @brief Sample service implementation. + */ +#pragma once + +#include <service-thread.h> +#include <generic-socket-manager.h> +#include <connection-info.h> +#include <message-buffer.h> + +namespace CKM { + +class CKMLogic; + +class CKMService + : public CKM::GenericSocketService + , public CKM::ServiceThread<CKMService> +{ +public: + CKMService(); + CKMService(const CKMService &) = delete; + CKMService(CKMService &&) = delete; + CKMService& operator=(const CKMService &) = delete; + CKMService& operator=(CKMService &&) = delete; + virtual ~CKMService(); + + ServiceDescriptionVector GetServiceDescription(); + + DECLARE_THREAD_EVENT(AcceptEvent, accept) + DECLARE_THREAD_EVENT(WriteEvent, write) + DECLARE_THREAD_EVENT(ReadEvent, process) + DECLARE_THREAD_EVENT(CloseEvent, close) + + void accept(const AcceptEvent &event); + void write(const WriteEvent &event); + void process(const ReadEvent &event); + void close(const CloseEvent &event); +private: + bool processOne( + const ConnectionID &conn, + MessageBuffer &buffer, + InterfaceID interfaceID); + + RawBuffer processControl( + MessageBuffer &buffer); + + RawBuffer processStorage( + const ConnectionID &conn, + MessageBuffer &buffer); + + ConnectionInfoMap m_connectionInfoMap; + CKMLogic *m_logic; +}; + +} // namespace CKM + diff --git a/src/manager/service/KeyAES.h b/src/manager/service/key-aes.h index 17f664e0..17f664e0 100644 --- a/src/manager/service/KeyAES.h +++ b/src/manager/service/key-aes.h diff --git a/src/manager/service/key-provider.h b/src/manager/service/key-provider.h new file mode 100644 index 00000000..949f9d98 --- /dev/null +++ b/src/manager/service/key-provider.h @@ -0,0 +1,53 @@ +#pragma once
+
+struct KeyMaterial;
+
+namespace CKM {
+
+// typedef std::vector<unsigned char> RawData; this must be defined in common header.
+
+// This is internal api so all functions should throw exception on errors.
+
+class KeyProvider {
+ // In constructor you must check if SKMM is initialized. On error -> exception
+ // keyInWrapForm should be used like this:
+ // if (keyInWrapForm.size() != sizeof(WrappedKeyMaterial))
+ // throw exception; // buffer does not have proper size to store WrappedKeyMaterial
+ // WrappedKeyMaterial *wkm = static_cast<WrappedKeyMaterial>(keyInWrapForm.data());
+ KeyProvider(const RawData &domainKEKInWrapForm, const RawData &password);
+
+ // Returns Key used to decrypt database.
+ KeyAES getDomainKEK();
+
+ // Returns Key in form used to store key in file
+ // Requied by Control::resetPassword(const RawData &newPassword);
+ // This api should be used only on Tizen 2.2.1
+ RawData getDomainKEK(const std::string &password);
+
+ // EncryptedKey key extracted from database. Used to encrypt application data.
+ // This key will be used to decrypt/encrypt data in ROW
+ KeyAES decryptDEK(const RawData &encrypedDEKInWrapForm);
+
+ // Returns WRAPPED DEK. This will be written to datbase.
+ // This key will be used to encrypt all application information.
+ // All application are identified by smackLabel.
+ RawData generateDEK(const std::string &smackLabel);
+
+ // used by change user password. On error -> exception
+ static RawData reencrypt(const RawData &domainKEKInWrapForm, const RawData &oldPass, const RawData &newPass);
+
+ // First run of application for some user. DomainKEK was not created yet. We must create one.
+ // This key will be used to encrypt user database.
+ static RawData generateDomainKEK(const std::string &user, const RawData &userPassword);
+
+ // This will be called by framework at the begin of the program
+ static initializeLibrary();
+ // This will be called by framework at the end of the program
+ static closeLibrary();
+
+ virtual ~KeyProvider();
+private:
+ KeyMaterial* m_dkek;
+};
+
+} // namespace CKM
diff --git a/src/manager/service/OCSP.h b/src/manager/service/ocsp.h index 2e596ab3..2e596ab3 100644 --- a/src/manager/service/OCSP.h +++ b/src/manager/service/ocsp.h diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index 07d56434..37a025c7 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -1,7 +1,9 @@ INSTALL(FILES - ${CMAKE_SOURCE_DIR}/systemd/key-manager.service - ${CMAKE_SOURCE_DIR}/systemd/key-manager.target - ${CMAKE_SOURCE_DIR}/systemd/key-manager-echo.socket + ${CMAKE_SOURCE_DIR}/systemd/central-key-manager.service + ${CMAKE_SOURCE_DIR}/systemd/central-key-manager.target + ${CMAKE_SOURCE_DIR}/systemd/central-key-manager-api-control.socket + ${CMAKE_SOURCE_DIR}/systemd/central-key-manager-api-storage.socket + ${CMAKE_SOURCE_DIR}/systemd/central-key-manager-echo.socket DESTINATION /usr/lib/systemd/system ) diff --git a/systemd/central-key-manager-api-control.socket b/systemd/central-key-manager-api-control.socket new file mode 100644 index 00000000..9ea95b2e --- /dev/null +++ b/systemd/central-key-manager-api-control.socket @@ -0,0 +1,14 @@ +[Socket] +ListenStream=/tmp/.central-key-manager-api-control.sock +SockMode=0777 +SmackLabelIpIn=ckm::api-control +SmackLabelIpOut=@ + +Service=central-key-manager.service + +[Unit] +Wants=central-key-manager.target +Before=central-key-manager.target + +[Install] +WantedBy=sockets.target diff --git a/systemd/central-key-manager-api-storage.socket b/systemd/central-key-manager-api-storage.socket new file mode 100644 index 00000000..3a1f06a3 --- /dev/null +++ b/systemd/central-key-manager-api-storage.socket @@ -0,0 +1,14 @@ +[Socket] +ListenStream=/tmp/.central-key-manager-api-storage.sock +SockMode=0777 +SmackLabelIpIn=ckm::api-storage +SmackLabelIpOut=@ + +Service=central-key-manager.service + +[Unit] +Wants=central-key-manager.target +Before=central-key-manager.target + +[Install] +WantedBy=sockets.target diff --git a/systemd/central-key-manager-echo.socket b/systemd/central-key-manager-echo.socket new file mode 100644 index 00000000..f4e95754 --- /dev/null +++ b/systemd/central-key-manager-echo.socket @@ -0,0 +1,14 @@ +[Socket] +ListenStream=/tmp/.central-key-manager-echo.sock +SockMode=0777 +SmackLabelIpIn=* +SmackLabelIpOut=@ + +Service=central-key-manager.service + +[Unit] +Wants=central-key-manager.target +Before=central-key-manager.target + +[Install] +WantedBy=sockets.target diff --git a/systemd/key-manager.service b/systemd/central-key-manager.service index c33689c9..fe157bf9 100644 --- a/systemd/key-manager.service +++ b/systemd/central-key-manager.service @@ -4,7 +4,9 @@ Description=Start the Central Key Manager [Service] Type=notify ExecStart=/usr/bin/key-manager -Sockets=key-manager-echo.socket +Sockets=central-key-manager-echo.socket +Sockets=central-key-manager-api-storage.socket +Seckets=central-key-manager-api-control.socket [Install] WantedBy=multi-user.target diff --git a/systemd/central-key-manager.target b/systemd/central-key-manager.target new file mode 100644 index 00000000..01eaa8e9 --- /dev/null +++ b/systemd/central-key-manager.target @@ -0,0 +1,4 @@ +[Unit] +Description=Central Key Manager sockets +DefaultDependencies=true + |