diff options
author | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2018-07-19 16:31:27 +0200 |
---|---|---|
committer | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2018-08-28 13:18:39 +0000 |
commit | 31a373a9389e65b242ac1890771bfee06f5cfb51 (patch) | |
tree | 06fe1319997a8a4ddb247e62127b73f833ba900f | |
parent | b61e8105c2dbdf36b33cc870624ec4ce2efbcadd (diff) | |
download | key-manager-31a373a9389e65b242ac1890771bfee06f5cfb51.tar.gz key-manager-31a373a9389e65b242ac1890771bfee06f5cfb51.tar.bz2 key-manager-31a373a9389e65b242ac1890771bfee06f5cfb51.zip |
Unify alias naming
Get rid of all references to smack labels except database scheme.
alias = owner_id + name
Simplify db permissions processing
Change-Id: I36c3dbb3ee605fb00e5e4e6bcbada6400a0cbcab
54 files changed, 798 insertions, 767 deletions
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index a4943c8a..c24850ab 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -61,6 +61,7 @@ SET(KEY_MANAGER_SOURCES ${KEY_MANAGER_PATH}/service/ocsp-service.cpp ${KEY_MANAGER_PATH}/service/ss-migrate.cpp ${KEY_MANAGER_PATH}/service/ss-crypto.cpp + ${KEY_MANAGER_PATH}/service/permission.cpp ${KEY_MANAGER_PATH}/initial-values/parser.cpp ${KEY_MANAGER_PATH}/initial-values/BufferHandler.cpp ${KEY_MANAGER_PATH}/initial-values/CertHandler.cpp diff --git a/src/include/ckm/ckm-control.h b/src/include/ckm/ckm-control.h index dd36f9d1..51b82563 100644 --- a/src/include/ckm/ckm-control.h +++ b/src/include/ckm/ckm-control.h @@ -57,15 +57,15 @@ public: // Required for tizen 2.3. // It will remove all application data owned by application identified - // by smackLabel. This function will remove application data from unlocked + // by owner. This function will remove application data from unlocked // database only. This function may be used during application uninstallation. - virtual int removeApplicationData(const std::string &smackLabel) = 0; + virtual int removeApplicationData(const ClientId &owner) = 0; virtual int updateCCMode() = 0; virtual int setPermission(uid_t user, const Alias &alias, - const Label &accessor, + const ClientId &accessor, PermissionMask permissionMask) = 0; virtual ~Control() {} diff --git a/src/include/ckm/ckm-manager-async.h b/src/include/ckm/ckm-manager-async.h index f812aea9..e8fabaa0 100644 --- a/src/include/ckm/ckm-manager-async.h +++ b/src/include/ckm/ckm-manager-async.h @@ -193,7 +193,7 @@ public: void setPermission( const ObserverPtr &observer, const Alias &alias, - const Label &accessor, + const ClientId &accessor, PermissionMask permissionMask); // This function will encrypt data. diff --git a/src/include/ckm/ckm-manager.h b/src/include/ckm/ckm-manager.h index 8f673841..22ec9a50 100644 --- a/src/include/ckm/ckm-manager.h +++ b/src/include/ckm/ckm-manager.h @@ -143,7 +143,7 @@ public: int ocspCheck(const CertificateShPtrVector &certificateChainVector, int &ocspStatus); - int setPermission(const Alias &alias, const Label &accessor, + int setPermission(const Alias &alias, const ClientId &accessor, PermissionMask permissionMask); // This function will encrypt data. diff --git a/src/include/ckm/ckm-type.h b/src/include/ckm/ckm-type.h index 5a07a3de..5021f263 100644 --- a/src/include/ckm/ckm-type.h +++ b/src/include/ckm/ckm-type.h @@ -38,8 +38,18 @@ namespace CKM { // used to pass password and raw key data typedef std::vector<RawBuffer> RawBufferVector; +/* + * Alias = ClientId + ' ' + Name + * ClientId is optional + */ typedef std::string Alias; -typedef std::string Label; +/* + * ClientId is an identifier of the API caller returned by security-manager(pkgid). + * It can be an application or a system component. + * Depending on the context the ClientId may indicate a data owner, data accessor + * or just a client in general. + */ +typedef std::string ClientId; typedef std::vector<Alias> AliasVector; enum class KeyType : int { diff --git a/src/include/ckmc/ckmc-control.h b/src/include/ckmc/ckmc-control.h index 687deb19..459c4808 100644 --- a/src/include/ckmc/ckmc-control.h +++ b/src/include/ckmc/ckmc-control.h @@ -218,14 +218,15 @@ TIZEN_DEPRECATED_API; * @privilege %http://tizen.org/privilege/keymanager.admin * * @remarks Data identified by @a alias should exist - * @remarks @a alias must contain owner label (<owner label><ckmc_owner_id_separator><name>) - * - * @param[in] user User ID of a user whose data will be affected - * @param[in] alias Data alias for which access will be granted - * @param[in] accessor Package id of the application that will gain access rights - * @param[in] permissions Mask of permissions granted for @a accessor application - * (@a ckmc_permission_e) - * (previous permission mask will be replaced with the new mask value) + * @remarks @a alias must contain owner id and name + * (<owner id><ckmc_owner_id_separator><name>) + * + * @param[in] user User ID of a user whose data will be affected + * @param[in] alias Data alias for which access will be granted + * @param[in] accessor Package id of the application that will gain access rights + * @param[in] mask Mask of permissions granted for @a accessor application + * (@a ckmc_permission_e) + * (previous permission mask will be replaced with the new mask value) * * @return @c 0 on success, otherwise a negative error value * diff --git a/src/manager/client-async/client-manager-async-impl.cpp b/src/manager/client-async/client-manager-async-impl.cpp index 3837771e..74f14f9a 100644 --- a/src/manager/client-async/client-manager-async-impl.cpp +++ b/src/manager/client-async/client-manager-async-impl.cpp @@ -96,7 +96,7 @@ void ManagerAsync::Impl::saveBinaryData(const ManagerAsync::ObserverPtr AliasSupport helper(alias); sendToStorage(observer, static_cast<int>(LogicCommand::SAVE), m_counter, - static_cast<int>(dataType), helper.getName(), helper.getLabel(), rawData, + static_cast<int>(dataType), helper.getName(), helper.getOwner(), rawData, PolicySerializable(policy)); }, [&observer](int error) { observer->ReceivedError(error); @@ -112,7 +112,7 @@ void ManagerAsync::Impl::savePKCS12(const ManagerAsync::ObserverPtr &observer, try_catch_async([&]() { AliasSupport helper(alias); sendToStorage(observer, static_cast<int>(LogicCommand::SAVE_PKCS12), - m_counter, helper.getName(), helper.getLabel(), PKCS12Serializable(*pkcs.get()), + m_counter, helper.getName(), helper.getOwner(), PKCS12Serializable(*pkcs.get()), PolicySerializable(keyPolicy), PolicySerializable(certPolicy)); }, [&observer](int error) { observer->ReceivedError(error); @@ -132,7 +132,7 @@ void ManagerAsync::Impl::removeAlias(const ManagerAsync::ObserverPtr &observer, try_catch_async([&]() { AliasSupport helper(alias); sendToStorage(observer, static_cast<int>(LogicCommand::REMOVE), m_counter, - helper.getName(), helper.getLabel()); + helper.getName(), helper.getOwner()); }, [&observer](int error) { observer->ReceivedError(error); }); @@ -155,7 +155,7 @@ void ManagerAsync::Impl::getBinaryData(const ManagerAsync::ObserverPtr AliasSupport helper(alias); sendToStorage(observer, static_cast<int>(LogicCommand::GET), m_counter, - static_cast<int>(sendDataType), helper.getName(), helper.getLabel(), password); + static_cast<int>(sendDataType), helper.getName(), helper.getOwner(), password); }, [&observer](int error) { observer->ReceivedError(error); }); @@ -177,7 +177,7 @@ void ManagerAsync::Impl::getPKCS12(const ManagerAsync::ObserverPtr &observer, AliasSupport helper(alias); sendToStorage(observer, static_cast<int>(LogicCommand::GET_PKCS12), m_counter, - helper.getName(), helper.getLabel(), passwordKey, passwordCert); + helper.getName(), helper.getOwner(), passwordKey, passwordCert); }, [&observer](int error) { observer->ReceivedError(error); }); @@ -199,7 +199,7 @@ void ManagerAsync::Impl::createSignature(const ObserverPtr &observer, try_catch_async([&]() { AliasSupport helper(privateKeyAlias); sendToStorage(observer, static_cast<int>(LogicCommand::CREATE_SIGNATURE), - m_counter, helper.getName(), helper.getLabel(), password, message, + m_counter, helper.getName(), helper.getOwner(), password, message, CryptoAlgorithmSerializable(cAlg)); }, [&observer](int error) { observer->ReceivedError(error); @@ -224,7 +224,7 @@ void ManagerAsync::Impl::verifySignature(const ObserverPtr &observer, AliasSupport helper(publicKeyOrCertAlias); sendToStorage(observer, static_cast<int>(LogicCommand::VERIFY_SIGNATURE), - m_counter, helper.getName(), helper.getLabel(), password, + m_counter, helper.getName(), helper.getOwner(), password, message, signature, CryptoAlgorithmSerializable(cAlg)); }, [&observer](int error) { observer->ReceivedError(error); @@ -263,7 +263,7 @@ void ManagerAsync::Impl::ocspCheck(const ObserverPtr &observer, void ManagerAsync::Impl::setPermission(const ObserverPtr &observer, const Alias &alias, - const Label &accessor, + const ClientId &accessor, PermissionMask permissionMask) { observerCheck(observer); @@ -277,7 +277,7 @@ void ManagerAsync::Impl::setPermission(const ObserverPtr &observer, AliasSupport helper(alias); sendToStorage(observer, static_cast<int>(LogicCommand::SET_PERMISSION), - m_counter, helper.getName(), helper.getLabel(), accessor, permissionMask); + m_counter, helper.getName(), helper.getOwner(), accessor, permissionMask); }, [&observer](int error) { observer->ReceivedError(error); }); @@ -346,8 +346,8 @@ void ManagerAsync::Impl::createKeyPair(const ManagerAsync::ObserverPtr sendToStorage(observer, static_cast<int>(LogicCommand::CREATE_KEY_PAIR), m_counter, CryptoAlgorithmSerializable(keyGenAlgorithm), PolicySerializable(policyPrivateKey), PolicySerializable(policyPublicKey), - prvHelper.getName(), prvHelper.getLabel(), pubHelper.getName(), - pubHelper.getLabel()); + prvHelper.getName(), prvHelper.getOwner(), pubHelper.getName(), + pubHelper.getOwner()); }, [&observer](int error) { observer->ReceivedError(error); }); @@ -370,7 +370,7 @@ void ManagerAsync::Impl::createKeyAES(const ManagerAsync::ObserverPtr &observer, sendToStorage(observer, static_cast<int>(LogicCommand::CREATE_KEY_AES), m_counter, static_cast<int>(size), PolicySerializable(policyKey), - aliasHelper.getName(), aliasHelper.getLabel()); + aliasHelper.getName(), aliasHelper.getOwner()); }, [&observer](int error) { observer->ReceivedError(error); }); @@ -403,7 +403,7 @@ void ManagerAsync::Impl::crypt( auto send = MessageBuffer::Serialize(static_cast<int>(encryption ? EncryptionCommand::ENCRYPT : EncryptionCommand::DECRYPT), m_counter, cas, - helper.getName(), helper.getLabel(), password, input); + helper.getName(), helper.getOwner(), password, input); thread()->sendMessage(AsyncRequest(observer, SERVICE_SOCKET_ENCRYPTION, send.Pop(), m_counter)); diff --git a/src/manager/client-async/client-manager-async-impl.h b/src/manager/client-async/client-manager-async-impl.h index 65f4970a..96c10510 100644 --- a/src/manager/client-async/client-manager-async-impl.h +++ b/src/manager/client-async/client-manager-async-impl.h @@ -80,7 +80,7 @@ public: void setPermission( const ObserverPtr &observer, const Alias &alias, - const Label &accessor, + const ClientId &accessor, PermissionMask permissionMask); // generic methods diff --git a/src/manager/client-async/client-manager-async.cpp b/src/manager/client-async/client-manager-async.cpp index 471c8483..6227b8da 100644 --- a/src/manager/client-async/client-manager-async.cpp +++ b/src/manager/client-async/client-manager-async.cpp @@ -39,16 +39,16 @@ RawBufferVector toRawBufferVector(const CertificateShPtrVector &certificates) return rawBufferVector; } -LabelNameVector toLabelNameVector(const AliasVector &aliases) +OwnerNameVector toOwnerNameVector(const AliasVector &aliases) { - LabelNameVector labelNames; + OwnerNameVector ownerNameVector; for (auto &e : aliases) { AliasSupport helper(e); - labelNames.push_back(std::make_pair(helper.getLabel(), helper.getName())); + ownerNameVector.push_back(std::make_pair(helper.getOwner(), helper.getName())); } - return labelNames; + return ownerNameVector; } } // namespace anonymous @@ -235,8 +235,8 @@ void ManagerAsync::getCertificateChain(const ObserverPtr &observer, m_impl->getCertChain(observer, LogicCommand::GET_CHAIN_ALIAS, certificate, - toLabelNameVector(untrustedCertificates), - toLabelNameVector(trustedCertificates), + toOwnerNameVector(untrustedCertificates), + toOwnerNameVector(trustedCertificates), useSystemTrustedCertificates); }, [&observer](int error) { observer->ReceivedError(error); @@ -279,7 +279,7 @@ void ManagerAsync::ocspCheck(const ObserverPtr &observer, void ManagerAsync::setPermission(const ObserverPtr &observer, const Alias &alias, - const Label &accessor, + const ClientId &accessor, PermissionMask permissionMask) { m_impl->setPermission(observer, alias, accessor, permissionMask); diff --git a/src/manager/client-async/storage-receiver.cpp b/src/manager/client-async/storage-receiver.cpp index ad259173..e282dfac 100644 --- a/src/manager/client-async/storage-receiver.cpp +++ b/src/manager/client-async/storage-receiver.cpp @@ -153,8 +153,8 @@ void StorageReceiver::parseGetPKCS12Command() void StorageReceiver::parseGetListCommand() { int dataType = 0, retCode = 0; - LabelNameVector labelNameVector; - m_buffer.Deserialize(retCode, dataType, labelNameVector); + OwnerNameVector ownerNameVector; + m_buffer.Deserialize(retCode, dataType, ownerNameVector); // check error code if (retCode != CKM_API_SUCCESS) { @@ -164,7 +164,7 @@ void StorageReceiver::parseGetListCommand() AliasVector aliasVector; - for (const auto &it : labelNameVector) + for (const auto &it : ownerNameVector) aliasVector.push_back(AliasSupport::merge(it.first, it.second)); DataType type(dataType); diff --git a/src/manager/client-capi/ckmc-control.cpp b/src/manager/client-capi/ckmc-control.cpp index ff3d603e..2ee14383 100644 --- a/src/manager/client-capi/ckmc-control.cpp +++ b/src/manager/client-capi/ckmc-control.cpp @@ -95,9 +95,9 @@ int ckmc_allow_access_by_adm(uid_t user, const char *owner, const char *alias, if (ec != CKMC_ERROR_NONE) return ec; - // if label given twice, service will return an error + // if owner given twice, service will return an error return ckmc_set_permission_by_adm(user, - CKM::AliasSupport::merge(CKM::Label(owner), CKM::Name(alias)).c_str(), accessor, + CKM::AliasSupport::merge(CKM::ClientId(owner), CKM::Name(alias)).c_str(), accessor, permissionMask); } @@ -123,11 +123,11 @@ int ckmc_deny_access_by_adm(uid_t user, const char *owner, const char *alias, if (!owner || !alias) return CKMC_ERROR_INVALID_PARAMETER; - // if label given twice, service will return an error + // if owner given twice, service will return an error auto control = CKM::Control::create(); return to_ckmc_error(control->setPermission( user, - CKM::AliasSupport::merge(CKM::Label(owner), CKM::Name(alias)).c_str(), + CKM::AliasSupport::merge(CKM::ClientId(owner), CKM::Name(alias)).c_str(), accessor, CKM::Permission::NONE)); } diff --git a/src/manager/client-capi/ckmc-type.cpp b/src/manager/client-capi/ckmc-type.cpp index 926cbd4e..a613d8d6 100644 --- a/src/manager/client-capi/ckmc-type.cpp +++ b/src/manager/client-capi/ckmc-type.cpp @@ -68,9 +68,9 @@ int _ckmc_load_cert_from_x509(X509 *xCert, ckmc_cert_s **cert) } // namespace anonymous -const char *const ckmc_label_name_separator = CKM::LABEL_NAME_SEPARATOR; -const char *const ckmc_owner_id_separator = CKM::LABEL_NAME_SEPARATOR; -const char *const ckmc_owner_id_system = CKM::OWNER_ID_SYSTEM; +const char *const ckmc_label_name_separator = CKM::ALIAS_SEPARATOR; +const char *const ckmc_owner_id_separator = CKM::ALIAS_SEPARATOR; +const char *const ckmc_owner_id_system = CKM::CLIENT_ID_SYSTEM; KEY_MANAGER_CAPI int ckmc_alias_new(const char *owner_id, const char *alias, char **full_alias) diff --git a/src/manager/client/client-common.cpp b/src/manager/client/client-common.cpp index 312f3340..bb9ad4d0 100644 --- a/src/manager/client/client-common.cpp +++ b/src/manager/client/client-common.cpp @@ -173,24 +173,24 @@ int SockRAII::get() const AliasSupport::AliasSupport(const Alias &alias) { - std::size_t separator_pos = alias.rfind(CKM::LABEL_NAME_SEPARATOR); + std::size_t separator_pos = alias.rfind(CKM::ALIAS_SEPARATOR); if (separator_pos == Alias::npos) { - m_label.clear(); + m_owner.clear(); m_name = alias; } else { - m_label = alias.substr(0, separator_pos); - m_name = alias.substr(separator_pos + strlen(CKM::LABEL_NAME_SEPARATOR)); + m_owner = alias.substr(0, separator_pos); + m_name = alias.substr(separator_pos + strlen(CKM::ALIAS_SEPARATOR)); } } -Alias AliasSupport::merge(const Label &label, const Name &name) +Alias AliasSupport::merge(const ClientId &owner, const Name &name) { - if (label.empty()) + if (owner.empty()) return name; std::stringstream output; - output << label << std::string(CKM::LABEL_NAME_SEPARATOR) << name; + output << owner << std::string(CKM::ALIAS_SEPARATOR) << name; return output.str(); } @@ -199,14 +199,14 @@ const Name &AliasSupport::getName() const return m_name; } -const Label &AliasSupport::getLabel() const +const ClientId &AliasSupport::getOwner() const { - return m_label; + return m_owner; } -bool AliasSupport::isLabelEmpty() const +bool AliasSupport::isOwnerEmpty() const { - return m_label.empty(); + return m_owner.empty(); } ServiceConnection::ServiceConnection(const char *service_interface) diff --git a/src/manager/client/client-common.h b/src/manager/client/client-common.h index 442da37c..cedb50ed 100644 --- a/src/manager/client/client-common.h +++ b/src/manager/client/client-common.h @@ -51,15 +51,15 @@ class AliasSupport { public: AliasSupport(const Alias &alias); - const Label &getLabel() const; + const ClientId &getOwner() const; const Name &getName() const; - bool isLabelEmpty() const; + bool isOwnerEmpty() const; - static Alias merge(const Label &label, const Name &alias); + static Alias merge(const ClientId &owner, const Name &alias); private: Name m_name; - Label m_label; + ClientId m_owner; }; class SockRAII { diff --git a/src/manager/client/client-control.cpp b/src/manager/client/client-control.cpp index 9a90cad7..e92c4d48 100644 --- a/src/manager/client/client-control.cpp +++ b/src/manager/client/client-control.cpp @@ -161,16 +161,16 @@ public: EXCEPTION_GUARD_END } - virtual int removeApplicationData(const Label &smackLabel) + virtual int removeApplicationData(const ClientId &owner) { EXCEPTION_GUARD_START_CPPAPI - if (smackLabel.empty()) + if (owner.empty()) return CKM_API_ERROR_INPUT_PARAM; MessageBuffer recv; auto send = MessageBuffer::Serialize(static_cast<int> - (ControlCommand::REMOVE_APP_DATA), smackLabel); + (ControlCommand::REMOVE_APP_DATA), owner); int retCode = m_controlConnection.processRequest(send.Pop(), recv); @@ -206,7 +206,7 @@ public: virtual int setPermission(uid_t user, const Alias &alias, - const Label &accessor, + const ClientId &accessor, PermissionMask permissionMask) { EXCEPTION_GUARD_START_CPPAPI @@ -217,7 +217,7 @@ public: (ControlCommand::SET_PERMISSION), static_cast<int>(user), helper.getName(), - helper.getLabel(), + helper.getOwner(), accessor, permissionMask); diff --git a/src/manager/client/client-manager-impl.cpp b/src/manager/client/client-manager-impl.cpp index fa4f5a9f..7a81943d 100644 --- a/src/manager/client/client-manager-impl.cpp +++ b/src/manager/client/client-manager-impl.cpp @@ -118,7 +118,7 @@ int Manager::Impl::saveBinaryData( my_counter, static_cast<int>(dataType), helper.getName(), - helper.getLabel(), + helper.getOwner(), rawData, PolicySerializable(policy)); @@ -194,7 +194,7 @@ int Manager::Impl::savePKCS12( (LogicCommand::SAVE_PKCS12), my_counter, helper.getName(), - helper.getLabel(), + helper.getOwner(), PKCS12Serializable(*pkcs.get()), PolicySerializable(keyPolicy), PolicySerializable(certPolicy)); @@ -236,7 +236,7 @@ int Manager::Impl::getPKCS12(const Alias &alias, const Password &keyPass, auto send = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET_PKCS12), my_counter, helper.getName(), - helper.getLabel(), + helper.getOwner(), keyPass, certPass); @@ -275,7 +275,7 @@ int Manager::Impl::removeAlias(const Alias &alias) auto send = MessageBuffer::Serialize(static_cast<int>(LogicCommand::REMOVE), my_counter, helper.getName(), - helper.getLabel()); + helper.getOwner()); int retCode = m_storageConnection.processRequest(send.Pop(), recv); @@ -314,7 +314,7 @@ int Manager::Impl::getBinaryData( my_counter, static_cast<int>(sendDataType), helper.getName(), - helper.getLabel(), + helper.getOwner(), password); int retCode = m_storageConnection.processRequest(send.Pop(), recv); @@ -439,14 +439,14 @@ int Manager::Impl::getBinaryDataAliasVector(DataType dataType, int command; int counter; int tmpDataType; - LabelNameVector labelNameVector; - recv.Deserialize(command, counter, retCode, tmpDataType, labelNameVector); + OwnerNameVector ownerNameVector; + recv.Deserialize(command, counter, retCode, tmpDataType, ownerNameVector); if ((command != static_cast<int>(LogicCommand::GET_LIST)) || (counter != my_counter)) return CKM_API_ERROR_UNKNOWN; - for (const auto &it : labelNameVector) + for (const auto &it : ownerNameVector) aliasVector.push_back(AliasSupport::merge(it.first, it.second)); return retCode; @@ -523,7 +523,7 @@ int Manager::Impl::createKeyAES( static_cast<int>(size), PolicySerializable(policyKey), aliasHelper.getName(), - aliasHelper.getLabel()); + aliasHelper.getOwner()); int retCode = m_storageConnection.processRequest(send.Pop(), recv); @@ -592,9 +592,9 @@ int Manager::Impl::createKeyPair( PolicySerializable(policyPrivateKey), PolicySerializable(policyPublicKey), privateHelper.getName(), - privateHelper.getLabel(), + privateHelper.getOwner(), publicHelper.getName(), - publicHelper.getLabel()); + publicHelper.getOwner()); int retCode = m_storageConnection.processRequest(send.Pop(), recv); @@ -656,20 +656,20 @@ int Manager::Impl::getCertificateChain( bool useTrustedSystemCertificates, CertificateShPtrVector &certificateChainVector) { - LabelNameVector untrustedVector; - LabelNameVector trustedVector; + OwnerNameVector untrustedVector; + OwnerNameVector trustedVector; if (!certificate || certificate->empty()) return CKM_API_ERROR_INPUT_PARAM; for (auto &e : untrustedCertificates) { AliasSupport helper(e); - untrustedVector.push_back(std::make_pair(helper.getLabel(), helper.getName())); + untrustedVector.push_back(std::make_pair(helper.getOwner(), helper.getName())); } for (auto &e : trustedCertificates) { AliasSupport helper(e); - trustedVector.push_back(std::make_pair(helper.getLabel(), helper.getName())); + trustedVector.push_back(std::make_pair(helper.getOwner(), helper.getName())); } return getCertChain( @@ -700,7 +700,7 @@ int Manager::Impl::createSignature( (LogicCommand::CREATE_SIGNATURE), my_counter, helper.getName(), - helper.getLabel(), + helper.getOwner(), password, message, CryptoAlgorithmSerializable(cAlgorithm)); @@ -740,7 +740,7 @@ int Manager::Impl::verifySignature( (LogicCommand::VERIFY_SIGNATURE), my_counter, helper.getName(), - helper.getLabel(), + helper.getOwner(), password, message, signature, @@ -802,7 +802,7 @@ int Manager::Impl::ocspCheck(const CertificateShPtrVector &certChain, } int Manager::Impl::setPermission(const Alias &alias, - const Label &accessor, + const ClientId &accessor, PermissionMask permissionMask) { int my_counter = ++m_counter; @@ -815,7 +815,7 @@ int Manager::Impl::setPermission(const Alias &alias, (LogicCommand::SET_PERMISSION), my_counter, helper.getName(), - helper.getLabel(), + helper.getOwner(), accessor, permissionMask); @@ -854,7 +854,7 @@ int Manager::Impl::crypt(EncryptionCommand command, my_counter, cas, helper.getName(), - helper.getLabel(), + helper.getOwner(), password, input); diff --git a/src/manager/client/client-manager-impl.h b/src/manager/client/client-manager-impl.h index ca8a6173..caaf6696 100644 --- a/src/manager/client/client-manager-impl.h +++ b/src/manager/client/client-manager-impl.h @@ -115,7 +115,7 @@ public: int ocspCheck(const CertificateShPtrVector &certificateChain, int &ocspCheck); - int setPermission(const Alias &alias, const Label &accessor, + int setPermission(const Alias &alias, const ClientId &accessor, PermissionMask permissionMask); int encrypt(const CryptoAlgorithm &algo, diff --git a/src/manager/client/client-manager.cpp b/src/manager/client/client-manager.cpp index c7f13190..073f8293 100644 --- a/src/manager/client/client-manager.cpp +++ b/src/manager/client/client-manager.cpp @@ -229,7 +229,7 @@ int Manager::ocspCheck(const CertificateShPtrVector &certificateChainVector, int Manager::setPermission( const Alias &alias, - const Label &accessor, + const ClientId &accessor, PermissionMask permissionMask) { return m_impl->setPermission(alias, accessor, permissionMask); diff --git a/src/manager/common/protocols.cpp b/src/manager/common/protocols.cpp index 8cf65725..d846ca46 100644 --- a/src/manager/common/protocols.cpp +++ b/src/manager/common/protocols.cpp @@ -38,9 +38,9 @@ char const *const SERVICE_SOCKET_OCSP = "/tmp/.central-key-manager-api-ocsp.sock"; char const *const SERVICE_SOCKET_ENCRYPTION = "/tmp/.central-key-manager-api-encryption.sock"; -char const *const LABEL_NAME_SEPARATOR = " "; -char const *const OWNER_ID_SYSTEM = "/System"; -char const *const OWNER_ID_ADMIN_USER = "/User"; +char const *const ALIAS_SEPARATOR = " "; +char const *const CLIENT_ID_SYSTEM = "/System"; +char const *const CLIENT_ID_ADMIN_USER = "/User"; PKCS12Serializable::PKCS12Serializable() { diff --git a/src/manager/common/protocols.h b/src/manager/common/protocols.h index e8be62bf..8f7ec0e2 100644 --- a/src/manager/common/protocols.h +++ b/src/manager/common/protocols.h @@ -73,13 +73,13 @@ enum class EncryptionCommand : int { DECRYPT }; -// (client side) Alias = (service side) Label::Name -COMMON_API extern char const *const LABEL_NAME_SEPARATOR; -COMMON_API extern char const *const OWNER_ID_SYSTEM; -COMMON_API extern char const *const OWNER_ID_ADMIN_USER; +// (client side) Alias = (service side) Owner::Name +COMMON_API extern char const *const ALIAS_SEPARATOR; +COMMON_API extern char const *const CLIENT_ID_SYSTEM; +COMMON_API extern char const *const CLIENT_ID_ADMIN_USER; typedef std::string Name; -typedef std::vector<std::pair<Label, Name>> LabelNameVector; +typedef std::vector<std::pair<ClientId, Name>> OwnerNameVector; class IStream; diff --git a/src/manager/initial-values/InitialValueHandler.cpp b/src/manager/initial-values/InitialValueHandler.cpp index c4bcd929..cd92dd67 100644 --- a/src/manager/initial-values/InitialValueHandler.cpp +++ b/src/manager/initial-values/InitialValueHandler.cpp @@ -87,9 +87,9 @@ void InitialValueHandler::End() // save permissions for (const auto &permission : m_permissions) { ec = m_db_logic.setPermissionHelper( - Credentials(CKMLogic::SYSTEM_DB_UID, OWNER_ID_SYSTEM), + Credentials(CKMLogic::SYSTEM_DB_UID, CLIENT_ID_SYSTEM), m_name, - OWNER_ID_SYSTEM, + CLIENT_ID_SYSTEM, permission->getAccessor(), Permission::READ); diff --git a/src/manager/initial-values/PermissionHandler.cpp b/src/manager/initial-values/PermissionHandler.cpp index 0a7f523c..7efc3e9b 100644 --- a/src/manager/initial-values/PermissionHandler.cpp +++ b/src/manager/initial-values/PermissionHandler.cpp @@ -34,9 +34,9 @@ PermissionHandler::~PermissionHandler() {} void PermissionHandler::Start(const XML::Parser::Attributes &attr) { - // get accessor label + // get accessor id if (attr.find(XML_ATTR_ACCESSOR) != attr.end()) - m_accessor = Label(attr.at(XML_ATTR_ACCESSOR)); + m_accessor = ClientId(attr.at(XML_ATTR_ACCESSOR)); } void PermissionHandler::End() diff --git a/src/manager/initial-values/PermissionHandler.h b/src/manager/initial-values/PermissionHandler.h index d84ecb29..acef23ca 100644 --- a/src/manager/initial-values/PermissionHandler.h +++ b/src/manager/initial-values/PermissionHandler.h @@ -39,13 +39,13 @@ public: virtual void Start(const XML::Parser::Attributes &); virtual void End(); - const Label &getAccessor() const + const ClientId &getAccessor() const { return m_accessor; } private: - Label m_accessor; + ClientId m_accessor; }; } diff --git a/src/manager/main/credentials.h b/src/manager/main/credentials.h index bae9c852..916e4eb7 100644 --- a/src/manager/main/credentials.h +++ b/src/manager/main/credentials.h @@ -28,10 +28,10 @@ namespace CKM { struct Credentials { Credentials() : clientUid(0) {} - Credentials(uid_t socketUid, const Label &socketLabel) - : clientUid(socketUid), smackLabel(socketLabel) {} + Credentials(uid_t socketUid, const ClientId &client) + : clientUid(socketUid), client(client) {} uid_t clientUid; - Label smackLabel; + ClientId client; }; } // namespace CKM diff --git a/src/manager/main/service-messages.h b/src/manager/main/service-messages.h index 0815f6df..dbe76483 100644 --- a/src/manager/main/service-messages.h +++ b/src/manager/main/service-messages.h @@ -44,12 +44,17 @@ struct MsgBase { // key request struct MsgKeyRequest : public MsgBase { MsgKeyRequest(int id, const Credentials &cred, const Name &name, - const Label &label, const Password &password) : - MsgBase(id), cred(cred), name(name), label(label), password(password) {} + const ClientId &explicitOwner, const Password &password) : + MsgBase(id), + cred(cred), + name(name), + explicitOwner(explicitOwner), + password(password) + {} Credentials cred; Name name; - Label label; + ClientId explicitOwner; Password password; }; diff --git a/src/manager/main/socket-2-id.cpp b/src/manager/main/socket-2-id.cpp index ea0b50ab..8d4f712f 100644 --- a/src/manager/main/socket-2-id.cpp +++ b/src/manager/main/socket-2-id.cpp @@ -96,15 +96,15 @@ int Socket2Id::getCredentialsFromSocket(int sock, std::string &res) return assignToString(result, length, res); } -void Socket2Id::mapToDomainLabel(std::string &label) +void Socket2Id::mapToDomainClient(std::string &pkgId) { static const std::string subdomainSep = "::"; - static const auto systemLabelLen = strlen(OWNER_ID_SYSTEM); + static const auto systemClientLen = strlen(CLIENT_ID_SYSTEM); - if (label.length() > systemLabelLen + subdomainSep.length() && - label.compare(0, systemLabelLen, OWNER_ID_SYSTEM) == 0 && - label.compare(systemLabelLen, subdomainSep.length(), subdomainSep) == 0) { - label = OWNER_ID_SYSTEM; + if (pkgId.length() > systemClientLen + subdomainSep.length() && + pkgId.compare(0, systemClientLen, CLIENT_ID_SYSTEM) == 0 && + pkgId.compare(systemClientLen, subdomainSep.length(), subdomainSep) == 0) { + pkgId = CLIENT_ID_SYSTEM; } } @@ -138,7 +138,7 @@ int Socket2Id::translate(int sock, std::string &result) pkgId = "/" + smack; } - mapToDomainLabel(pkgId); + mapToDomainClient(pkgId); result = pkgId; m_stringMap.emplace(std::move(smack), std::move(pkgId)); diff --git a/src/manager/main/socket-2-id.h b/src/manager/main/socket-2-id.h index 3e970c28..754683d9 100644 --- a/src/manager/main/socket-2-id.h +++ b/src/manager/main/socket-2-id.h @@ -36,7 +36,7 @@ public: private: int getCredentialsFromSocket(int sock, std::string &res); - void mapToDomainLabel(std::string &label); + void mapToDomainClient(std::string &label); typedef std::map<std::string, std::string> StringMap; StringMap m_stringMap; diff --git a/src/manager/main/socket-manager.cpp b/src/manager/main/socket-manager.cpp index ee5a0bf2..db3f2a67 100644 --- a/src/manager/main/socket-manager.cpp +++ b/src/manager/main/socket-manager.cpp @@ -51,9 +51,9 @@ const time_t SOCKET_TIMEOUT = 1000; int getCredentialsFromSocket(int sock, CKM::Credentials &cred) { static CKM::Socket2Id sock2id; - std::string ownerId; + CKM::ClientId client; - if (0 > sock2id.translate(sock, ownerId)) + if (0 > sock2id.translate(sock, client)) return -1; ucred peerCred; @@ -64,7 +64,7 @@ int getCredentialsFromSocket(int sock, CKM::Credentials &cred) return -1; } - cred = CKM::Credentials(peerCred.uid, std::move(ownerId)); + cred = CKM::Credentials(peerCred.uid, std::move(client)); return 0; } diff --git a/src/manager/service/access-control.cpp b/src/manager/service/access-control.cpp index 95cd3a30..07041476 100644 --- a/src/manager/service/access-control.cpp +++ b/src/manager/service/access-control.cpp @@ -65,12 +65,12 @@ bool AccessControl::isSystemService(const CKM::Credentials &cred) const int AccessControl::canSave( const CKM::Credentials &accessorCred, - const Label &ownerLabel) const + const ClientId &owner) const { if (isSystemService(accessorCred)) return CKM_API_SUCCESS; - if (ownerLabel != accessorCred.smackLabel) + if (owner != accessorCred.client) return CKM_API_ERROR_ACCESS_DENIED; return CKM_API_SUCCESS; @@ -78,19 +78,19 @@ int AccessControl::canSave( int AccessControl::canModify( const CKM::Credentials &accessorCred, - const Label &ownerLabel) const + const ClientId &owner) const { - return canSave(accessorCred, ownerLabel); + return canSave(accessorCred, owner); } int AccessControl::canRead( const CKM::Credentials &accessorCred, - const PermissionForLabel &permissionLabel) const + const PermissionMask &existingPermission) const { if (isSystemService(accessorCred)) return CKM_API_SUCCESS; - if (permissionLabel & Permission::READ) + if (existingPermission & Permission::READ) return CKM_API_SUCCESS; return CKM_API_ERROR_DB_ALIAS_UNKNOWN; @@ -99,11 +99,11 @@ int AccessControl::canRead( int AccessControl::canExport( const CKM::Credentials &accessorCred, const DB::Row &row, - const PermissionForLabel &permissionLabel) const + const PermissionMask &existingPermission) const { int ec; - if (CKM_API_SUCCESS != (ec = canRead(accessorCred, permissionLabel))) + if (CKM_API_SUCCESS != (ec = canRead(accessorCred, existingPermission))) return ec; // check if can export @@ -119,15 +119,15 @@ int AccessControl::canExport( int AccessControl::canDelete( const CKM::Credentials &accessorCred, - const PermissionForLabel &permissionLabel) const + const PermissionMask &existingPermission) const { if (isSystemService(accessorCred)) return CKM_API_SUCCESS; - if (permissionLabel & Permission::REMOVE) + if (existingPermission & Permission::REMOVE) return CKM_API_SUCCESS; - if (permissionLabel & Permission::READ) + if (existingPermission & Permission::READ) return CKM_API_ERROR_ACCESS_DENIED; return CKM_API_ERROR_DB_ALIAS_UNKNOWN; diff --git a/src/manager/service/access-control.h b/src/manager/service/access-control.h index f5c2fea9..4488b92e 100644 --- a/src/manager/service/access-control.h +++ b/src/manager/service/access-control.h @@ -43,21 +43,21 @@ public: * @return CKM_API_SUCCESS if access is allowed, otherwise negative error code */ int canSave(const CKM::Credentials &accessorCred, - const Label &ownerLabel) const; + const ClientId &owner) const; /** - * check if given label can be modified by accessor + * check if given data can be modified by accessor * @return CKM_API_SUCCESS if access is allowed, otherwise negative error code */ int canModify(const CKM::Credentials &accessorCred, - const Label &ownerLabel) const; + const ClientId &owner) const; /** * check if given row can be read (for internal use) * @return CKM_API_SUCCESS if access is allowed, otherwise negative error code */ int canRead(const CKM::Credentials &accessorCred, - const PermissionForLabel &permissionLabel) const; + const PermissionMask &existingPermission) const; /** * check if given row can be exported (data provided to the client) @@ -65,14 +65,14 @@ public: */ int canExport(const CKM::Credentials &accessorCred, const DB::Row &row, - const PermissionForLabel &permissionLabel) const; + const PermissionMask &existingPermission) const; /** - * check if given accessor can delete ownerLabel's items. + * check if given accessor can delete owner's items. * @return CKM_API_SUCCESS if access is allowed, otherwise negative error code */ int canDelete(const CKM::Credentials &accessorCred, - const PermissionForLabel &permissionLabel) const; + const PermissionMask &existingPermission) const; void updateCCMode(); bool isCCMode() const; diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp index 7d976a9f..635f8b9c 100644 --- a/src/manager/service/ckm-logic.cpp +++ b/src/manager/service/ckm-logic.cpp @@ -39,10 +39,9 @@ namespace { const char *const CERT_SYSTEM_DIR = CA_CERTS_DIR; const char *const SYSTEM_DB_PASSWD = "cAtRugU7"; -bool isLabelValid(const CKM::Label &label) +bool isClientValid(const CKM::ClientId &client) { - // TODO: copy code from libprivilege control (for check smack label) - if (label.find(CKM::LABEL_NAME_SEPARATOR) != CKM::Label::npos) + if (client.find(CKM::ALIAS_SEPARATOR) != CKM::ClientId::npos) return false; return true; @@ -50,7 +49,7 @@ bool isLabelValid(const CKM::Label &label) bool isNameValid(const CKM::Name &name) { - if (name.find(CKM::LABEL_NAME_SEPARATOR) != CKM::Name::npos) + if (name.find(CKM::ALIAS_SEPARATOR) != CKM::Name::npos) return false; return true; @@ -102,7 +101,7 @@ void CKMLogic::migrateSecureStorageData(bool isAdminUser) const Crypto::Data &data, bool adminUserFlag) { LogInfo("Migrate data called with name: " << name); - auto ownerId = adminUserFlag ? OWNER_ID_ADMIN_USER : OWNER_ID_SYSTEM; + auto ownerId = adminUserFlag ? CLIENT_ID_ADMIN_USER : CLIENT_ID_SYSTEM; auto uid = adminUserFlag ? ADMIN_USER_DB_UID : SYSTEM_DB_UID; int ret = verifyAndSaveDataHelper(Credentials(uid, ownerId), name, ownerId, data, @@ -144,11 +143,11 @@ int CKMLogic::unlockDatabase(uid_t user, const Password &password) if (!m_accessControl.isSystemService(user)) { // remove data of removed apps during locked state - AppLabelVector removedApps = fs.clearRemovedsApps(); + ClientIdVector removedApps = fs.clearRemovedsApps(); - for (auto &appSmackLabel : removedApps) { - handle.crypto.removeKey(appSmackLabel); - handle.database.deleteKey(appSmackLabel); + for (auto &app : removedApps) { + handle.crypto.removeKey(app); + handle.database.deleteKey(app); } } @@ -175,21 +174,21 @@ int CKMLogic::unlockSystemDB() } UserData &CKMLogic::selectDatabase(const Credentials &cred, - const Label &incoming_label) + const ClientId &explicitOwner) { // if user trying to access system service - check: // * if user database is unlocked [mandatory] // * if not - proceed with regular user database - // * if explicit system database label given -> switch to system DB + // * if explicit system database owner given -> switch to system DB if (!m_accessControl.isSystemService(cred)) { if (0 == m_userDataMap.count(cred.clientUid)) ThrowErr(Exc::DatabaseLocked, "database with UID: ", cred.clientUid, " locked"); - if (0 != incoming_label.compare(OWNER_ID_SYSTEM)) + if (0 != explicitOwner.compare(CLIENT_ID_SYSTEM)) return m_userDataMap[cred.clientUid]; } - // system database selected, modify the label + // system database selected, modify the owner id if (CKM_API_SUCCESS != unlockSystemDB()) ThrowErr(Exc::DatabaseLocked, "can not unlock system database"); @@ -316,12 +315,12 @@ RawBuffer CKMLogic::resetUserPassword( return MessageBuffer::Serialize(retCode).Pop(); } -RawBuffer CKMLogic::removeApplicationData(const Label &smackLabel) +RawBuffer CKMLogic::removeApplicationData(const ClientId &owner) { int retCode = CKM_API_SUCCESS; try { - if (smackLabel.empty()) { + if (owner.empty()) { retCode = CKM_API_ERROR_INPUT_PARAM; } else { UidVector uids = FileSystem::getUIDsFromDBFile(); @@ -329,11 +328,11 @@ RawBuffer CKMLogic::removeApplicationData(const Label &smackLabel) for (auto userId : uids) { if (0 == m_userDataMap.count(userId)) { FileSystem fs(userId); - fs.addRemovedApp(smackLabel); + fs.addRemovedApp(owner); } else { auto &handle = m_userDataMap[userId]; - handle.crypto.removeKey(smackLabel); - handle.database.deleteKey(smackLabel); + handle.crypto.removeKey(owner); + handle.database.deleteKey(owner); } } } @@ -348,47 +347,47 @@ RawBuffer CKMLogic::removeApplicationData(const Label &smackLabel) } int CKMLogic::checkSaveConditions( - const Credentials &cred, + const Credentials &accessorCred, UserData &handler, const Name &name, - const Label &ownerLabel) + const ClientId &owner) { - // verify name and label are correct - if (!isNameValid(name) || !isLabelValid(ownerLabel)) { + // verify name and client are correct + if (!isNameValid(name) || !isClientValid(owner)) { LogDebug("Invalid parameter passed to key-manager"); return CKM_API_ERROR_INPUT_PARAM; } - // check if allowed to save using ownerLabel - int access_ec = m_accessControl.canSave(cred, ownerLabel); + // check if accessor is allowed to save owner's items + int access_ec = m_accessControl.canSave(accessorCred, owner); if (access_ec != CKM_API_SUCCESS) { - LogDebug("label " << cred.smackLabel << " can not save rows using label " << - ownerLabel); + LogDebug("accessor " << accessorCred.client << " can not save rows owned by " << + owner); return access_ec; } // check if not a duplicate - if (handler.database.isNameLabelPresent(name, ownerLabel)) + if (handler.database.isNameOwnerPresent(name, owner)) return CKM_API_ERROR_DB_ALIAS_EXISTS; // encryption section - if (!handler.crypto.haveKey(ownerLabel)) { + if (!handler.crypto.haveKey(owner)) { RawBuffer got_key; - auto key_optional = handler.database.getKey(ownerLabel); + auto key_optional = handler.database.getKey(owner); if (!key_optional) { - LogDebug("No Key in database found. Generating new one for label: " << - ownerLabel); - got_key = handler.keyProvider.generateDEK(ownerLabel); - handler.database.saveKey(ownerLabel, got_key); + LogDebug("No Key in database found. Generating new one for client: " << + owner); + got_key = handler.keyProvider.generateDEK(owner); + handler.database.saveKey(owner, got_key); } else { LogDebug("Key from DB"); got_key = *key_optional; } got_key = handler.keyProvider.getPureDEK(got_key); - handler.crypto.pushKey(ownerLabel, got_key); + handler.crypto.pushKey(owner, got_key); } return CKM_API_SUCCESS; @@ -397,7 +396,7 @@ int CKMLogic::checkSaveConditions( DB::Row CKMLogic::createEncryptedRow( CryptoLogic &crypto, const Name &name, - const Label &label, + const ClientId &owner, const Crypto::Data &data, const Policy &policy) const { @@ -406,7 +405,7 @@ DB::Row CKMLogic::createEncryptedRow( // do not encrypt data with password during cc_mode on Token token = store.import(data, m_accessControl.isCCMode() ? "" : policy.password); - DB::Row row(std::move(token), name, label, + DB::Row row(std::move(token), name, owner, static_cast<int>(policy.extractable)); crypto.encryptRow(row); return row; @@ -457,7 +456,7 @@ int CKMLogic::toBinaryData(const Crypto::Data &input, int CKMLogic::verifyAndSaveDataHelper( const Credentials &cred, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Crypto::Data &data, const PolicySerializable &policy) { @@ -471,7 +470,7 @@ int CKMLogic::verifyAndSaveDataHelper( if (retCode != CKM_API_SUCCESS) return retCode; else - return saveDataHelper(cred, name, label, binaryData, policy); + return saveDataHelper(cred, name, explicitOwner, binaryData, policy); } catch (const Exc::Exception &e) { return e.error(); } catch (const CKM::Exception &e) { @@ -483,14 +482,14 @@ int CKMLogic::verifyAndSaveDataHelper( int CKMLogic::getKeyForService( const Credentials &cred, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &pass, Crypto::GObjShPtr &key) { try { // Key is for internal service use. It won't be exported to the client Crypto::GObjUPtr obj; - int retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, name, label, + int retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, name, explicitOwner, pass, obj); if (retCode == CKM_API_SUCCESS) @@ -509,11 +508,11 @@ RawBuffer CKMLogic::saveData( const Credentials &cred, int commandId, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Crypto::Data &data, const PolicySerializable &policy) { - int retCode = verifyAndSaveDataHelper(cred, name, label, data, policy); + int retCode = verifyAndSaveDataHelper(cred, name, explicitOwner, data, policy); auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::SAVE), commandId, retCode, @@ -524,7 +523,7 @@ RawBuffer CKMLogic::saveData( int CKMLogic::extractPKCS12Data( CryptoLogic &crypto, const Name &name, - const Label &ownerLabel, + const ClientId &owner, const PKCS12Serializable &pkcs, const PolicySerializable &keyPolicy, const PolicySerializable &certPolicy, @@ -544,7 +543,7 @@ int CKMLogic::extractPKCS12Data( if (retCode != CKM_API_SUCCESS) return retCode; - output.push_back(createEncryptedRow(crypto, name, ownerLabel, keyData, + output.push_back(createEncryptedRow(crypto, name, owner, keyData, keyPolicy)); // certificate is mandatory @@ -561,7 +560,7 @@ int CKMLogic::extractPKCS12Data( if (retCode != CKM_API_SUCCESS) return retCode; - output.push_back(createEncryptedRow(crypto, name, ownerLabel, certData, + output.push_back(createEncryptedRow(crypto, name, owner, certData, certPolicy)); // CA cert chain @@ -575,7 +574,7 @@ int CKMLogic::extractPKCS12Data( if (retCode != CKM_API_SUCCESS) return retCode; - output.push_back(createEncryptedRow(crypto, name, ownerLabel, caCertData, + output.push_back(createEncryptedRow(crypto, name, owner, caCertData, certPolicy)); } @@ -586,7 +585,7 @@ RawBuffer CKMLogic::savePKCS12( const Credentials &cred, int commandId, const Name &name, - const Label &label, + const ClientId &explicitOwner, const PKCS12Serializable &pkcs, const PolicySerializable &keyPolicy, const PolicySerializable &certPolicy) @@ -594,7 +593,7 @@ RawBuffer CKMLogic::savePKCS12( int retCode = CKM_API_ERROR_UNKNOWN; try { - retCode = saveDataHelper(cred, name, label, pkcs, keyPolicy, certPolicy); + retCode = saveDataHelper(cred, name, explicitOwner, pkcs, keyPolicy, certPolicy); } catch (const Exc::Exception &e) { retCode = e.error(); } catch (const CKM::Exception &e) { @@ -613,15 +612,15 @@ RawBuffer CKMLogic::savePKCS12( int CKMLogic::removeDataHelper( const Credentials &cred, const Name &name, - const Label &label) + const ClientId &explicitOwner) { - auto &handler = selectDatabase(cred, label); + auto &handler = selectDatabase(cred, explicitOwner); - // use client label if not explicitly provided - const Label &ownerLabel = label.empty() ? cred.smackLabel : label; + // use client id if not explicitly provided + const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner; - if (!isNameValid(name) || !isLabelValid(ownerLabel)) { - LogDebug("Invalid label or name format"); + if (!isNameValid(name) || !isClientValid(owner)) { + LogDebug("Invalid owner or name format"); return CKM_API_ERROR_INPUT_PARAM; } @@ -629,9 +628,9 @@ int CKMLogic::removeDataHelper( // read and check permissions PermissionMaskOptional permissionRowOpt = - handler.database.getPermissionRow(name, ownerLabel, cred.smackLabel); + handler.database.getPermissionRow(name, owner, cred.client); int retCode = m_accessControl.canDelete(cred, - PermissionForLabel(cred.smackLabel, permissionRowOpt)); + toPermissionMask(permissionRowOpt)); if (retCode != CKM_API_SUCCESS) { LogWarning("access control check result: " << retCode); @@ -640,16 +639,16 @@ int CKMLogic::removeDataHelper( // get all matching rows DB::RowVector rows; - handler.database.getRows(name, ownerLabel, DataType::DB_FIRST, + handler.database.getRows(name, owner, DataType::DB_FIRST, DataType::DB_LAST, rows); if (rows.empty()) { - LogDebug("No row for given name and label"); + LogDebug("No row for given name and owner"); return CKM_API_ERROR_DB_ALIAS_UNKNOWN; } // load app key if needed - retCode = loadAppKey(handler, rows.front().ownerLabel); + retCode = loadAppKey(handler, rows.front().owner); if (CKM_API_SUCCESS != retCode) return retCode; @@ -665,7 +664,7 @@ int CKMLogic::removeDataHelper( } // delete row in db - handler.database.deleteRow(name, ownerLabel); + handler.database.deleteRow(name, owner); transaction.commit(); return CKM_API_SUCCESS; @@ -675,12 +674,12 @@ RawBuffer CKMLogic::removeData( const Credentials &cred, int commandId, const Name &name, - const Label &label) + const ClientId &explicitOwner) { int retCode = CKM_API_ERROR_UNKNOWN; try { - retCode = removeDataHelper(cred, name, label); + retCode = removeDataHelper(cred, name, explicitOwner); } catch (const Exc::Exception &e) { retCode = e.error(); } catch (const CKM::Exception &e) { @@ -695,7 +694,7 @@ RawBuffer CKMLogic::removeData( } int CKMLogic::readSingleRow(const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType dataType, DB::Crypto &database, DB::Row &row) @@ -705,18 +704,18 @@ int CKMLogic::readSingleRow(const Name &name, if (dataType.isKey()) { // read all key types row_optional = database.getRow(name, - ownerLabel, + owner, DataType::DB_KEY_FIRST, DataType::DB_KEY_LAST); } else { // read anything else row_optional = database.getRow(name, - ownerLabel, + owner, dataType); } if (!row_optional) { - LogDebug("No row for given name, label and type"); + LogDebug("No row for given name, owner and type"); return CKM_API_ERROR_DB_ALIAS_UNKNOWN; } else { row = *row_optional; @@ -727,7 +726,7 @@ int CKMLogic::readSingleRow(const Name &name, int CKMLogic::readMultiRow(const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType dataType, DB::Crypto &database, DB::RowVector &output) @@ -735,49 +734,49 @@ int CKMLogic::readMultiRow(const Name &name, if (dataType.isKey()) // read all key types database.getRows(name, - ownerLabel, + owner, DataType::DB_KEY_FIRST, DataType::DB_KEY_LAST, output); else if (dataType.isChainCert()) // read all key types database.getRows(name, - ownerLabel, + owner, DataType::DB_CHAIN_FIRST, DataType::DB_CHAIN_LAST, output); else // read anything else database.getRows(name, - ownerLabel, + owner, dataType, output); if (!output.size()) { - LogDebug("No row for given name, label and type"); + LogDebug("No row for given name, owner and type"); return CKM_API_ERROR_DB_ALIAS_UNKNOWN; } return CKM_API_SUCCESS; } -int CKMLogic::checkDataPermissionsHelper(const Credentials &cred, +int CKMLogic::checkDataPermissionsHelper(const Credentials &accessorCred, const Name &name, - const Label &ownerLabel, - const Label &accessorLabel, + const ClientId &owner, const DB::Row &row, bool exportFlag, DB::Crypto &database) { PermissionMaskOptional permissionRowOpt = - database.getPermissionRow(name, ownerLabel, accessorLabel); + database.getPermissionRow(name, owner, accessorCred.client); if (exportFlag) - return m_accessControl.canExport(cred, row, PermissionForLabel(accessorLabel, - permissionRowOpt)); + return m_accessControl.canExport(accessorCred, + row, + toPermissionMask(permissionRowOpt)); - return m_accessControl.canRead(cred, PermissionForLabel(accessorLabel, - permissionRowOpt)); + return m_accessControl.canRead(accessorCred, + toPermissionMask(permissionRowOpt)); } Crypto::GObjUPtr CKMLogic::rowToObject( @@ -827,22 +826,22 @@ int CKMLogic::readDataHelper( const Credentials &cred, DataType dataType, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &password, Crypto::GObjUPtrVector &objs) { - auto &handler = selectDatabase(cred, label); + auto &handler = selectDatabase(cred, explicitOwner); - // use client label if not explicitly provided - const Label &ownerLabel = label.empty() ? cred.smackLabel : label; + // use client id if not explicitly provided + const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner; - if (!isNameValid(name) || !isLabelValid(ownerLabel)) + if (!isNameValid(name) || !isClientValid(owner)) return CKM_API_ERROR_INPUT_PARAM; // read rows DB::Crypto::Transaction transaction(&handler.database); DB::RowVector rows; - int retCode = readMultiRow(name, ownerLabel, dataType, handler.database, rows); + int retCode = readMultiRow(name, owner, dataType, handler.database, rows); if (CKM_API_SUCCESS != retCode) return retCode; @@ -851,14 +850,14 @@ int CKMLogic::readDataHelper( DB::Row &firstRow = rows.at(0); // check access rights - retCode = checkDataPermissionsHelper(cred, name, ownerLabel, cred.smackLabel, - firstRow, exportFlag, handler.database); + retCode = checkDataPermissionsHelper(cred, name, owner, firstRow, + exportFlag, handler.database); if (CKM_API_SUCCESS != retCode) return retCode; // load app key if needed - retCode = loadAppKey(handler, firstRow.ownerLabel); + retCode = loadAppKey(handler, firstRow.owner); if (CKM_API_SUCCESS != retCode) return retCode; @@ -878,13 +877,13 @@ int CKMLogic::readDataHelper( const Credentials &cred, DataType dataType, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &password, Crypto::GObjUPtr &obj) { DataType objDataType; - return readDataHelper(exportFlag, cred, dataType, name, label, password, obj, - objDataType); + return readDataHelper(exportFlag, cred, dataType, name, explicitOwner, + password, obj, objDataType); } int CKMLogic::readDataHelper( @@ -892,23 +891,23 @@ int CKMLogic::readDataHelper( const Credentials &cred, DataType dataType, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &password, Crypto::GObjUPtr &obj, DataType &objDataType) { - auto &handler = selectDatabase(cred, label); + auto &handler = selectDatabase(cred, explicitOwner); - // use client label if not explicitly provided - const Label &ownerLabel = label.empty() ? cred.smackLabel : label; + // use client id if not explicitly provided + const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner; - if (!isNameValid(name) || !isLabelValid(ownerLabel)) + if (!isNameValid(name) || !isClientValid(owner)) return CKM_API_ERROR_INPUT_PARAM; // read row DB::Crypto::Transaction transaction(&handler.database); DB::Row row; - int retCode = readSingleRow(name, ownerLabel, dataType, handler.database, row); + int retCode = readSingleRow(name, owner, dataType, handler.database, row); if (CKM_API_SUCCESS != retCode) return retCode; @@ -916,14 +915,14 @@ int CKMLogic::readDataHelper( objDataType = row.dataType; // check access rights - retCode = checkDataPermissionsHelper(cred, name, ownerLabel, cred.smackLabel, - row, exportFlag, handler.database); + retCode = checkDataPermissionsHelper(cred, name, owner, row, exportFlag, + handler.database); if (CKM_API_SUCCESS != retCode) return retCode; // load app key if needed - retCode = loadAppKey(handler, row.ownerLabel); + retCode = loadAppKey(handler, row.owner); if (CKM_API_SUCCESS != retCode) return retCode; @@ -940,7 +939,7 @@ RawBuffer CKMLogic::getData( int commandId, DataType dataType, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &password) { int retCode = CKM_API_SUCCESS; @@ -949,8 +948,8 @@ RawBuffer CKMLogic::getData( try { Crypto::GObjUPtr obj; - retCode = readDataHelper(true, cred, dataType, name, label, password, obj, - objDataType); + retCode = readDataHelper(true, cred, dataType, name, explicitOwner, + password, obj, objDataType); if (retCode == CKM_API_SUCCESS) rowData = obj->getBinary(); @@ -975,7 +974,7 @@ RawBuffer CKMLogic::getData( int CKMLogic::getPKCS12Helper( const Credentials &cred, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &keyPassword, const Password &certPassword, KeyShPtr &privKey, @@ -986,7 +985,7 @@ int CKMLogic::getPKCS12Helper( // read private key (mandatory) Crypto::GObjUPtr keyObj; - retCode = readDataHelper(true, cred, DataType::DB_KEY_FIRST, name, label, + retCode = readDataHelper(true, cred, DataType::DB_KEY_FIRST, name, explicitOwner, keyPassword, keyObj); if (retCode != CKM_API_SUCCESS) { @@ -998,7 +997,7 @@ int CKMLogic::getPKCS12Helper( // read certificate (mandatory) Crypto::GObjUPtr certObj; - retCode = readDataHelper(true, cred, DataType::CERTIFICATE, name, label, + retCode = readDataHelper(true, cred, DataType::CERTIFICATE, name, explicitOwner, certPassword, certObj); if (retCode != CKM_API_SUCCESS) { @@ -1010,7 +1009,7 @@ int CKMLogic::getPKCS12Helper( // read CA cert chain (optional) Crypto::GObjUPtrVector caChainObjs; - retCode = readDataHelper(true, cred, DataType::DB_CHAIN_FIRST, name, label, + retCode = readDataHelper(true, cred, DataType::DB_CHAIN_FIRST, name, explicitOwner, certPassword, caChainObjs); if (retCode != CKM_API_SUCCESS && retCode != CKM_API_ERROR_DB_ALIAS_UNKNOWN) { @@ -1033,7 +1032,7 @@ RawBuffer CKMLogic::getPKCS12( const Credentials &cred, int commandId, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &keyPassword, const Password &certPassword) { @@ -1045,8 +1044,8 @@ RawBuffer CKMLogic::getPKCS12( KeyShPtr privKey; CertificateShPtr cert; CertificateShPtrVector caChain; - retCode = getPKCS12Helper(cred, name, label, keyPassword, certPassword, privKey, - cert, caChain); + retCode = getPKCS12Helper(cred, name, explicitOwner, keyPassword, + certPassword, privKey, cert, caChain); // prepare response if (retCode == CKM_API_SUCCESS) @@ -1069,7 +1068,7 @@ RawBuffer CKMLogic::getPKCS12( int CKMLogic::getDataListHelper(const Credentials &cred, const DataType dataType, - LabelNameVector &labelNameVector) + OwnerNameVector &ownerNameVector) { int retCode = CKM_API_ERROR_DB_LOCKED; @@ -1077,22 +1076,22 @@ int CKMLogic::getDataListHelper(const Credentials &cred, auto &database = m_userDataMap[cred.clientUid].database; try { - LabelNameVector tmpVector; + OwnerNameVector tmpVector; if (dataType.isKey()) { // list all key types - database.listNames(cred.smackLabel, + database.listNames(cred.client, tmpVector, DataType::DB_KEY_FIRST, DataType::DB_KEY_LAST); } else { // list anything else - database.listNames(cred.smackLabel, + database.listNames(cred.client, tmpVector, dataType); } - labelNameVector.insert(labelNameVector.end(), tmpVector.begin(), + ownerNameVector.insert(ownerNameVector.end(), tmpVector.begin(), tmpVector.end()); retCode = CKM_API_SUCCESS; } catch (const CKM::Exception &e) { @@ -1111,9 +1110,9 @@ RawBuffer CKMLogic::getDataList( int commandId, DataType dataType) { - LabelNameVector systemVector; - LabelNameVector userVector; - LabelNameVector labelNameVector; + OwnerNameVector systemVector; + OwnerNameVector userVector; + OwnerNameVector ownerNameVector; int retCode = unlockSystemDB(); @@ -1122,13 +1121,13 @@ RawBuffer CKMLogic::getDataList( if (m_accessControl.isSystemService(cred)) { // lookup system DB retCode = getDataListHelper(Credentials(SYSTEM_DB_UID, - OWNER_ID_SYSTEM), + CLIENT_ID_SYSTEM), dataType, systemVector); } else { // user - lookup system, then client DB retCode = getDataListHelper(Credentials(SYSTEM_DB_UID, - cred.smackLabel), + cred.client), dataType, systemVector); @@ -1142,9 +1141,9 @@ RawBuffer CKMLogic::getDataList( } if (retCode == CKM_API_SUCCESS) { - labelNameVector.insert(labelNameVector.end(), systemVector.begin(), + ownerNameVector.insert(ownerNameVector.end(), systemVector.begin(), systemVector.end()); - labelNameVector.insert(labelNameVector.end(), userVector.begin(), + ownerNameVector.insert(ownerNameVector.end(), userVector.begin(), userVector.end()); } @@ -1153,7 +1152,7 @@ RawBuffer CKMLogic::getDataList( commandId, retCode, static_cast<int>(dataType), - labelNameVector); + ownerNameVector); return response.Pop(); } @@ -1164,14 +1163,14 @@ int CKMLogic::importInitialData( const Policy &policy) { try { - // Inital values are always imported with root credentials. Label is not important. + // Inital values are always imported with root credentials. Client id is not important. Credentials rootCred(0, ""); - auto &handler = selectDatabase(rootCred, OWNER_ID_SYSTEM); + auto &handler = selectDatabase(rootCred, CLIENT_ID_SYSTEM); // check if save is possible DB::Crypto::Transaction transaction(&handler.database); - int retCode = checkSaveConditions(rootCred, handler, name, OWNER_ID_SYSTEM); + int retCode = checkSaveConditions(rootCred, handler, name, CLIENT_ID_SYSTEM); if (retCode != CKM_API_SUCCESS) return retCode; @@ -1193,7 +1192,7 @@ int CKMLogic::importInitialData( m_accessControl.isCCMode() ? "" : policy.password, enc); } - DB::Row row(std::move(token), name, OWNER_ID_SYSTEM, + DB::Row row(std::move(token), name, CLIENT_ID_SYSTEM, static_cast<int>(policy.extractable)); handler.crypto.encryptRow(row); @@ -1215,28 +1214,28 @@ int CKMLogic::importInitialData( int CKMLogic::saveDataHelper( const Credentials &cred, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Crypto::Data &data, const PolicySerializable &policy) { - auto &handler = selectDatabase(cred, label); + auto &handler = selectDatabase(cred, explicitOwner); - // use client label if not explicitly provided - const Label &ownerLabel = label.empty() ? cred.smackLabel : label; + // use client id if not explicitly provided + const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner; if (m_accessControl.isSystemService(cred) && - ownerLabel.compare(OWNER_ID_SYSTEM) != 0) + owner.compare(CLIENT_ID_SYSTEM) != 0) return CKM_API_ERROR_INPUT_PARAM; // check if save is possible DB::Crypto::Transaction transaction(&handler.database); - int retCode = checkSaveConditions(cred, handler, name, ownerLabel); + int retCode = checkSaveConditions(cred, handler, name, owner); if (retCode != CKM_API_SUCCESS) return retCode; // save the data - DB::Row encryptedRow = createEncryptedRow(handler.crypto, name, ownerLabel, + DB::Row encryptedRow = createEncryptedRow(handler.crypto, name, owner, data, policy); handler.database.saveRow(encryptedRow); @@ -1247,37 +1246,37 @@ int CKMLogic::saveDataHelper( int CKMLogic::saveDataHelper( const Credentials &cred, const Name &name, - const Label &label, + const ClientId &explicitOwner, const PKCS12Serializable &pkcs, const PolicySerializable &keyPolicy, const PolicySerializable &certPolicy) { - auto &handler = selectDatabase(cred, label); + auto &handler = selectDatabase(cred, explicitOwner); - // use client label if not explicitly provided - const Label &ownerLabel = label.empty() ? cred.smackLabel : label; + // use client id if not explicitly provided + const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner; if (m_accessControl.isSystemService(cred) && - ownerLabel.compare(OWNER_ID_SYSTEM) != 0) + owner.compare(CLIENT_ID_SYSTEM) != 0) return CKM_API_ERROR_INPUT_PARAM; // check if save is possible DB::Crypto::Transaction transaction(&handler.database); - int retCode = checkSaveConditions(cred, handler, name, ownerLabel); + int retCode = checkSaveConditions(cred, handler, name, owner); if (retCode != CKM_API_SUCCESS) return retCode; // extract and encrypt the data DB::RowVector encryptedRows; - retCode = extractPKCS12Data(handler.crypto, name, ownerLabel, pkcs, keyPolicy, + retCode = extractPKCS12Data(handler.crypto, name, owner, pkcs, keyPolicy, certPolicy, encryptedRows); if (retCode != CKM_API_SUCCESS) return retCode; // save the data - handler.database.saveRows(name, ownerLabel, encryptedRows); + handler.database.saveRows(name, owner, encryptedRows); transaction.commit(); return CKM_API_SUCCESS; @@ -1288,21 +1287,21 @@ int CKMLogic::createKeyAESHelper( const Credentials &cred, const int size, const Name &name, - const Label &label, + const ClientId &explicitOwner, const PolicySerializable &policy) { - auto &handler = selectDatabase(cred, label); + auto &handler = selectDatabase(cred, explicitOwner); - // use client label if not explicitly provided - const Label &ownerLabel = label.empty() ? cred.smackLabel : label; + // use client id if not explicitly provided + const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner; if (m_accessControl.isSystemService(cred) && - ownerLabel.compare(OWNER_ID_SYSTEM) != 0) + owner.compare(CLIENT_ID_SYSTEM) != 0) return CKM_API_ERROR_INPUT_PARAM; // check if save is possible DB::Crypto::Transaction transaction(&handler.database); - int retCode = checkSaveConditions(cred, handler, name, ownerLabel); + int retCode = checkSaveConditions(cred, handler, name, owner); if (retCode != CKM_API_SUCCESS) return retCode; @@ -1315,7 +1314,7 @@ int CKMLogic::createKeyAESHelper( policy).generateSKey(keyGenAlgorithm, policy.password); // save the data - DB::Row row(std::move(key), name, ownerLabel, + DB::Row row(std::move(key), name, owner, static_cast<int>(policy.extractable)); handler.crypto.encryptRow(row); @@ -1329,14 +1328,14 @@ int CKMLogic::createKeyPairHelper( const Credentials &cred, const CryptoAlgorithmSerializable &keyGenParams, const Name &namePrivate, - const Label &labelPrivate, + const ClientId &explicitOwnerPrivate, const Name &namePublic, - const Label &labelPublic, + const ClientId &explicitOwnerPublic, const PolicySerializable &policyPrivate, const PolicySerializable &policyPublic) { - auto &handlerPriv = selectDatabase(cred, labelPrivate); - auto &handlerPub = selectDatabase(cred, labelPublic); + auto &handlerPriv = selectDatabase(cred, explicitOwnerPrivate); + auto &handlerPub = selectDatabase(cred, explicitOwnerPublic); AlgoType keyType = AlgoType::RSA_GEN; @@ -1351,19 +1350,19 @@ int CKMLogic::createKeyPairHelper( if (policyPrivate.backend != policyPublic.backend) ThrowErr(Exc::InputParam, "Error, key pair must be supported with the same backend."); - // use client label if not explicitly provided - const Label &ownerLabelPrv = labelPrivate.empty() ? cred.smackLabel : - labelPrivate; + // use client id if not explicitly provided + const ClientId &ownerPrv = explicitOwnerPrivate.empty() ? cred.client : + explicitOwnerPrivate; if (m_accessControl.isSystemService(cred) && - ownerLabelPrv.compare(OWNER_ID_SYSTEM) != 0) + ownerPrv.compare(CLIENT_ID_SYSTEM) != 0) return CKM_API_ERROR_INPUT_PARAM; - const Label &ownerLabelPub = labelPublic.empty() ? cred.smackLabel : - labelPublic; + const ClientId &ownerPub = explicitOwnerPublic.empty() ? cred.client : + explicitOwnerPublic; if (m_accessControl.isSystemService(cred) && - ownerLabelPub.compare(OWNER_ID_SYSTEM) != 0) + ownerPub.compare(CLIENT_ID_SYSTEM) != 0) return CKM_API_ERROR_INPUT_PARAM; bool exportable = policyPrivate.extractable || policyPublic.extractable; @@ -1379,23 +1378,23 @@ int CKMLogic::createKeyPairHelper( DB::Crypto::Transaction transactionPub(&handlerPub.database); int retCode; - retCode = checkSaveConditions(cred, handlerPriv, namePrivate, ownerLabelPrv); + retCode = checkSaveConditions(cred, handlerPriv, namePrivate, ownerPrv); if (CKM_API_SUCCESS != retCode) return retCode; - retCode = checkSaveConditions(cred, handlerPub, namePublic, ownerLabelPub); + retCode = checkSaveConditions(cred, handlerPub, namePublic, ownerPub); if (CKM_API_SUCCESS != retCode) return retCode; // save the data - DB::Row rowPrv(std::move(keys.first), namePrivate, ownerLabelPrv, + DB::Row rowPrv(std::move(keys.first), namePrivate, ownerPrv, static_cast<int>(policyPrivate.extractable)); handlerPriv.crypto.encryptRow(rowPrv); handlerPriv.database.saveRow(rowPrv); - DB::Row rowPub(std::move(keys.second), namePublic, ownerLabelPub, + DB::Row rowPub(std::move(keys.second), namePublic, ownerPub, static_cast<int>(policyPublic.extractable)); handlerPub.crypto.encryptRow(rowPub); handlerPub.database.saveRow(rowPub); @@ -1410,9 +1409,9 @@ RawBuffer CKMLogic::createKeyPair( int commandId, const CryptoAlgorithmSerializable &keyGenParams, const Name &namePrivate, - const Label &labelPrivate, + const ClientId &explicitOwnerPrivate, const Name &namePublic, - const Label &labelPublic, + const ClientId &explicitOwnerPublic, const PolicySerializable &policyPrivate, const PolicySerializable &policyPublic) { @@ -1423,9 +1422,9 @@ RawBuffer CKMLogic::createKeyPair( cred, keyGenParams, namePrivate, - labelPrivate, + explicitOwnerPrivate, namePublic, - labelPublic, + explicitOwnerPublic, policyPrivate, policyPublic); } catch (const Exc::Exception &e) { @@ -1444,13 +1443,13 @@ RawBuffer CKMLogic::createKeyAES( int commandId, const int size, const Name &name, - const Label &label, + const ClientId &explicitOwner, const PolicySerializable &policy) { int retCode = CKM_API_SUCCESS; try { - retCode = createKeyAESHelper(cred, size, name, label, policy); + retCode = createKeyAESHelper(cred, size, name, explicitOwner, policy); } catch (const Exc::Exception &e) { retCode = e.error(); } catch (std::invalid_argument &e) { @@ -1467,10 +1466,10 @@ RawBuffer CKMLogic::createKeyAES( int CKMLogic::readCertificateHelper( const Credentials &cred, - const LabelNameVector &labelNameVector, + const OwnerNameVector &ownerNameVector, CertificateImplVector &certVector) { - for (auto &i : labelNameVector) { + for (auto &i : ownerNameVector) { // certificates can't be protected with custom user password Crypto::GObjUPtr obj; int ec; @@ -1559,8 +1558,8 @@ int CKMLogic::getCertificateChainHelper( int CKMLogic::getCertificateChainHelper( const Credentials &cred, const CertificateImpl &cert, - const LabelNameVector &untrusted, - const LabelNameVector &trusted, + const OwnerNameVector &untrusted, + const OwnerNameVector &trusted, bool useTrustedSystemCertificates, RawBufferVector &chainRawVector) { @@ -1637,8 +1636,8 @@ RawBuffer CKMLogic::getCertificateChain( const Credentials &cred, int commandId, const RawBuffer &certificate, - const LabelNameVector &untrustedCertificates, - const LabelNameVector &trustedCertificates, + const OwnerNameVector &untrustedCertificates, + const OwnerNameVector &trustedCertificates, bool useTrustedSystemCertificates) { int retCode = CKM_API_ERROR_UNKNOWN; @@ -1673,7 +1672,7 @@ RawBuffer CKMLogic::createSignature( const Credentials &cred, int commandId, const Name &privateKeyName, - const Label &ownerLabel, + const ClientId &explicitOwner, const Password &password, // password for private_key const RawBuffer &message, const CryptoAlgorithm &cryptoAlg) @@ -1685,7 +1684,7 @@ RawBuffer CKMLogic::createSignature( try { Crypto::GObjUPtr obj; retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, privateKeyName, - ownerLabel, password, obj); + explicitOwner, password, obj); if (retCode == CKM_API_SUCCESS) signature = obj->sign(cryptoAlg, message); @@ -1711,7 +1710,7 @@ RawBuffer CKMLogic::verifySignature( const Credentials &cred, int commandId, const Name &publicKeyOrCertName, - const Label &ownerLabel, + const ClientId &explicitOwner, const Password &password, // password for public_key (optional) const RawBuffer &message, const RawBuffer &signature, @@ -1725,11 +1724,11 @@ RawBuffer CKMLogic::verifySignature( // rather than private key from the same PKCS. Crypto::GObjUPtr obj; retCode = readDataHelper(false, cred, DataType::CERTIFICATE, - publicKeyOrCertName, ownerLabel, password, obj); + publicKeyOrCertName, explicitOwner, password, obj); if (retCode == CKM_API_ERROR_DB_ALIAS_UNKNOWN) retCode = readDataHelper(false, cred, DataType::DB_KEY_FIRST, - publicKeyOrCertName, ownerLabel, password, obj); + publicKeyOrCertName, explicitOwner, password, obj); if (retCode == CKM_API_SUCCESS) retCode = obj->verify(params, message, signature); @@ -1750,46 +1749,46 @@ RawBuffer CKMLogic::verifySignature( int CKMLogic::setPermissionHelper( const Credentials &cred, // who's the client const Name &name, - const Label &label, // who's the owner - const Label &accessorLabel, // who will get the access + const ClientId &explicitOwner, // who's the owner + const ClientId &accessor, // who will get the access const PermissionMask permissionMask) { - auto &handler = selectDatabase(cred, label); + auto &handler = selectDatabase(cred, explicitOwner); // we don't know the client - if (cred.smackLabel.empty() || !isLabelValid(cred.smackLabel)) + if (cred.client.empty() || !isClientValid(cred.client)) return CKM_API_ERROR_INPUT_PARAM; - // use client label if not explicitly provided - const Label &ownerLabel = label.empty() ? cred.smackLabel : label; + // use client id if not explicitly provided + const ClientId &owner = explicitOwner.empty() ? cred.client : explicitOwner; - // verify name and label are correct - if (!isNameValid(name) || !isLabelValid(ownerLabel) || - !isLabelValid(accessorLabel)) + // verify name and owner are correct + if (!isNameValid(name) || !isClientValid(owner) || + !isClientValid(accessor)) return CKM_API_ERROR_INPUT_PARAM; // currently we don't support modification of owner's permissions to his own rows - if (ownerLabel == accessorLabel) + if (owner == accessor) return CKM_API_ERROR_INPUT_PARAM; // system database does not support write/remove permissions - if ((0 == ownerLabel.compare(OWNER_ID_SYSTEM)) && + if ((0 == owner.compare(CLIENT_ID_SYSTEM)) && (permissionMask & Permission::REMOVE)) return CKM_API_ERROR_INPUT_PARAM; // can the client modify permissions to owner's row? - int retCode = m_accessControl.canModify(cred, ownerLabel); + int retCode = m_accessControl.canModify(cred, owner); if (retCode != CKM_API_SUCCESS) return retCode; DB::Crypto::Transaction transaction(&handler.database); - if (!handler.database.isNameLabelPresent(name, ownerLabel)) + if (!handler.database.isNameOwnerPresent(name, owner)) return CKM_API_ERROR_DB_ALIAS_UNKNOWN; - // set permissions to the row owned by ownerLabel for accessorLabel - handler.database.setPermission(name, ownerLabel, accessorLabel, permissionMask); + // set permissions to the row owned by owner for accessor + handler.database.setPermission(name, owner, accessor, permissionMask); transaction.commit(); return CKM_API_SUCCESS; @@ -1800,14 +1799,14 @@ RawBuffer CKMLogic::setPermission( const int command, const int msgID, const Name &name, - const Label &label, - const Label &accessorLabel, + const ClientId &explicitOwner, + const ClientId &accessor, const PermissionMask permissionMask) { int retCode; try { - retCode = setPermissionHelper(cred, name, label, accessorLabel, permissionMask); + retCode = setPermissionHelper(cred, name, explicitOwner, accessor, permissionMask); } catch (const Exc::Exception &e) { retCode = e.error(); } catch (const CKM::Exception &e) { @@ -1818,20 +1817,20 @@ RawBuffer CKMLogic::setPermission( return MessageBuffer::Serialize(command, msgID, retCode).Pop(); } -int CKMLogic::loadAppKey(UserData &handle, const Label &appLabel) +int CKMLogic::loadAppKey(UserData &handle, const ClientId &owner) { - if (!handle.crypto.haveKey(appLabel)) { + if (!handle.crypto.haveKey(owner)) { RawBuffer key; - auto key_optional = handle.database.getKey(appLabel); + auto key_optional = handle.database.getKey(owner); if (!key_optional) { - LogError("No key for given label in database"); + LogError("No key for given owner in database"); return CKM_API_ERROR_DB_ERROR; } key = *key_optional; key = handle.keyProvider.getPureDEK(key); - handle.crypto.pushKey(appLabel, key); + handle.crypto.pushKey(owner, key); } return CKM_API_SUCCESS; diff --git a/src/manager/service/ckm-logic.h b/src/manager/service/ckm-logic.h index b1ab091f..95048cb7 100644 --- a/src/manager/service/ckm-logic.h +++ b/src/manager/service/ckm-logic.h @@ -74,13 +74,13 @@ public: const Password &newPassword); RawBuffer removeApplicationData( - const Label &smackLabel); + const ClientId &owner); RawBuffer saveData( const Credentials &cred, int commandId, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Crypto::Data &data, const PolicySerializable &policy); @@ -88,7 +88,7 @@ public: const Credentials &cred, int commandId, const Name &name, - const Label &label, + const ClientId &explicitOwner, const PKCS12Serializable &pkcs, const PolicySerializable &keyPolicy, const PolicySerializable &certPolicy); @@ -97,21 +97,21 @@ public: const Credentials &cred, int commandId, const Name &name, - const Label &label); + const ClientId &explicitOwner); RawBuffer getData( const Credentials &cred, int commandId, DataType dataType, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &password); RawBuffer getPKCS12( const Credentials &cred, int commandId, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &keyPassword, const Password &certPassword); @@ -125,9 +125,9 @@ public: int commandId, const CryptoAlgorithmSerializable &keyGenParams, const Name &namePrivate, - const Label &labelPrivate, + const ClientId &explicitOwnerPrivate, const Name &namePublic, - const Label &labelPublic, + const ClientId &explicitOwnerPublic, const PolicySerializable &policyPrivate, const PolicySerializable &policyPublic); @@ -136,7 +136,7 @@ public: int commandId, const int size, const Name &name, - const Label &label, + const ClientId &explicitOwner, const PolicySerializable &policy); RawBuffer getCertificateChain( @@ -151,15 +151,15 @@ public: const Credentials &cred, int commandId, const RawBuffer &certificate, - const LabelNameVector &untrustedCertificates, - const LabelNameVector &trustedCertificates, + const OwnerNameVector &untrustedCertificates, + const OwnerNameVector &trustedCertificates, bool useTrustedSystemCertificates); RawBuffer createSignature( const Credentials &cred, int commandId, const Name &privateKeyName, - const Label &ownerLabel, + const ClientId &explicitOwner, const Password &password, // password for private_key const RawBuffer &message, const CryptoAlgorithm &cryptoAlgorithm); @@ -168,7 +168,7 @@ public: const Credentials &cred, int commandId, const Name &publicKeyOrCertName, - const Label &label, + const ClientId &explicitOwner, const Password &password, // password for public_key (optional) const RawBuffer &message, const RawBuffer &signature, @@ -181,28 +181,28 @@ public: const int command, const int msgID, const Name &name, - const Label &label, - const Label &accessor_label, + const ClientId &explicitOwner, + const ClientId &accessor, const PermissionMask permissionMask); int setPermissionHelper( const Credentials &cred, const Name &name, - const Label &ownerLabel, - const Label &accessorLabel, + const ClientId &explicitOwner, + const ClientId &accessor, const PermissionMask permissionMask); int verifyAndSaveDataHelper( const Credentials &cred, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Crypto::Data &data, const PolicySerializable &policy); int getKeyForService( const Credentials &cred, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &pass, Crypto::GObjShPtr &key); @@ -215,10 +215,10 @@ public: int unlockSystemDB(); private: - // select private/system database depending on asking uid and owner label. - // output: database handler and effective label - UserData &selectDatabase(const Credentials &incoming_cred, - const Label &incoming_label); + // select private/system database depending on asking uid and owner id. + // output: database handler for effective owner + UserData &selectDatabase(const Credentials &cred, + const ClientId &explicitOwner); int unlockDatabase(uid_t user, const Password &password); @@ -241,19 +241,19 @@ private: const Credentials &cred, UserData &handler, const Name &name, - const Label &label); + const ClientId &owner); int saveDataHelper( const Credentials &cred, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Crypto::Data &data, const PolicySerializable &policy); int saveDataHelper( const Credentials &cred, const Name &name, - const Label &label, + const ClientId &explicitOwner, const PKCS12Serializable &pkcs, const PolicySerializable &keyPolicy, const PolicySerializable &certPolicy); @@ -261,14 +261,14 @@ private: DB::Row createEncryptedRow( CryptoLogic &crypto, const Name &name, - const Label &label, + const ClientId &owner, const Crypto::Data &data, const Policy &policy) const; int getPKCS12Helper( const Credentials &cred, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &keyPassword, const Password &certPassword, KeyShPtr &privKey, @@ -278,7 +278,7 @@ private: int extractPKCS12Data( CryptoLogic &crypto, const Name &name, - const Label &ownerLabel, + const ClientId &owner, const PKCS12Serializable &pkcs, const PolicySerializable &keyPolicy, const PolicySerializable &certPolicy, @@ -287,26 +287,25 @@ private: int removeDataHelper( const Credentials &cred, const Name &name, - const Label &ownerLabel); + const ClientId &explicitOwner); int readSingleRow( const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType dataType, DB::Crypto &database, DB::Row &row); int readMultiRow(const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType dataType, DB::Crypto &database, DB::RowVector &output); int checkDataPermissionsHelper( - const Credentials &cred, + const Credentials &accessorCred, const Name &name, - const Label &ownerLabel, - const Label &accessorLabel, + const ClientId &owner, const DB::Row &row, bool exportFlag, DB::Crypto &database); @@ -321,7 +320,7 @@ private: const Credentials &cred, DataType dataType, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &password, Crypto::GObjUPtr &obj); @@ -330,7 +329,7 @@ private: const Credentials &cred, DataType dataType, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &password, Crypto::GObjUPtr &obj, DataType &objDataType); @@ -340,7 +339,7 @@ private: const Credentials &cred, DataType dataType, const Name &name, - const Label &label, + const ClientId &explicitOwner, const Password &password, Crypto::GObjUPtrVector &objs); @@ -348,22 +347,22 @@ private: const Credentials &cred, const int size, const Name &name, - const Label &label, + const ClientId &explicitOwner, const PolicySerializable &policy); int createKeyPairHelper( const Credentials &cred, const CryptoAlgorithmSerializable &keyGenParams, const Name &namePrivate, - const Label &labelPrivate, + const ClientId &explicitOwnerPrivate, const Name &namePublic, - const Label &labelPublic, + const ClientId &explicitOwnerPublic, const PolicySerializable &policyPrivate, const PolicySerializable &policyPublic); int readCertificateHelper( const Credentials &cred, - const LabelNameVector &labelNameVector, + const OwnerNameVector &ownerNameVector, CertificateImplVector &certVector); int getCertificateChainHelper( @@ -376,15 +375,15 @@ private: int getCertificateChainHelper( const Credentials &cred, const CertificateImpl &cert, - const LabelNameVector &untrusted, - const LabelNameVector &trusted, + const OwnerNameVector &untrusted, + const OwnerNameVector &trusted, bool useTrustedSystemCertificates, RawBufferVector &chainRawVector); int getDataListHelper( const Credentials &cred, const DataType dataType, - LabelNameVector &labelNameVector); + OwnerNameVector &ownerNameVector); int changeUserPasswordHelper(uid_t user, const Password &oldPassword, @@ -392,7 +391,7 @@ private: int resetUserPasswordHelper(uid_t user, const Password &newPassword); - int loadAppKey(UserData &handle, const Label &appLabel); + int loadAppKey(UserData &handle, const ClientId &owner); void migrateSecureStorageData(bool isAdminUser); diff --git a/src/manager/service/ckm-service.cpp b/src/manager/service/ckm-service.cpp index 2fd0e2e7..127e0a85 100644 --- a/src/manager/service/ckm-service.cpp +++ b/src/manager/service/ckm-service.cpp @@ -120,7 +120,7 @@ RawBuffer CKMService::ProcessControl(MessageBuffer &buffer, bool allowed) uid_t user = 0; ControlCommand cc; Password newPass, oldPass; - Label smackLabel; + ClientId explicitOwner; buffer.Deserialize(command); @@ -167,9 +167,9 @@ RawBuffer CKMService::ProcessControl(MessageBuffer &buffer, bool allowed) break; case ControlCommand::REMOVE_APP_DATA: - buffer.Deserialize(smackLabel); + buffer.Deserialize(explicitOwner); logicFunc = [&]() { - return m_logic->removeApplicationData(smackLabel); + return m_logic->removeApplicationData(explicitOwner); }; break; @@ -181,21 +181,20 @@ RawBuffer CKMService::ProcessControl(MessageBuffer &buffer, bool allowed) case ControlCommand::SET_PERMISSION: { Name name; - Label label; - Label accessorLabel; + ClientId accessor; PermissionMask permissionMask = 0; - buffer.Deserialize(user, name, label, accessorLabel, permissionMask); + buffer.Deserialize(user, name, explicitOwner, accessor, permissionMask); - Credentials cred(user, label); - logicFunc = [&, name, label, accessorLabel, permissionMask, cred]() { + Credentials cred(user, explicitOwner); + logicFunc = [&, name, explicitOwner, accessor, permissionMask, cred]() { return m_logic->setPermission( cred, command, 0, // dummy name, - label, - accessorLabel, + explicitOwner, + accessor, permissionMask); }; break; @@ -219,7 +218,7 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) int msgID = 0; int tmpDataType = 0; Name name; - Label label, accessorLabel; + ClientId explicitOwner, accessor; buffer.Deserialize(command); buffer.Deserialize(msgID); @@ -238,12 +237,12 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) case LogicCommand::SAVE: { RawBuffer rawData; PolicySerializable policy; - buffer.Deserialize(tmpDataType, name, label, rawData, policy); + buffer.Deserialize(tmpDataType, name, explicitOwner, rawData, policy); return m_logic->saveData( cred, msgID, name, - label, + explicitOwner, Crypto::Data(DataType(tmpDataType), std::move(rawData)), policy); } @@ -252,35 +251,35 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) RawBuffer rawData; PKCS12Serializable pkcs; PolicySerializable keyPolicy, certPolicy; - buffer.Deserialize(name, label, pkcs, keyPolicy, certPolicy); + buffer.Deserialize(name, explicitOwner, pkcs, keyPolicy, certPolicy); return m_logic->savePKCS12( cred, msgID, name, - label, + explicitOwner, pkcs, keyPolicy, certPolicy); } case LogicCommand::REMOVE: { - buffer.Deserialize(name, label); + buffer.Deserialize(name, explicitOwner); return m_logic->removeData( cred, msgID, name, - label); + explicitOwner); } case LogicCommand::GET: { Password password; - buffer.Deserialize(tmpDataType, name, label, password); + buffer.Deserialize(tmpDataType, name, explicitOwner, password); return m_logic->getData( cred, msgID, DataType(tmpDataType), name, - label, + explicitOwner, password); } @@ -289,14 +288,14 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) Password passCert; buffer.Deserialize( name, - label, + explicitOwner, passKey, passCert); return m_logic->getPKCS12( cred, msgID, name, - label, + explicitOwner, passKey, passCert); } @@ -312,45 +311,45 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) case LogicCommand::CREATE_KEY_AES: { int size = 0; Name keyName; - Label keyLabel; + ClientId keyExplicitOwner; PolicySerializable policyKey; buffer.Deserialize( size, policyKey, keyName, - keyLabel); + keyExplicitOwner); return m_logic->createKeyAES( cred, msgID, size, keyName, - keyLabel, + keyExplicitOwner, policyKey); } case LogicCommand::CREATE_KEY_PAIR: { CryptoAlgorithmSerializable keyGenAlgorithm; Name privateKeyName; - Label privateKeyLabel; + ClientId explicitOwnerPrivate; Name publicKeyName; - Label publicKeyLabel; + ClientId explicitOwnerPublic; PolicySerializable policyPrivateKey; PolicySerializable policyPublicKey; buffer.Deserialize(keyGenAlgorithm, policyPrivateKey, policyPublicKey, privateKeyName, - privateKeyLabel, + explicitOwnerPrivate, publicKeyName, - publicKeyLabel); + explicitOwnerPublic); return m_logic->createKeyPair( cred, msgID, keyGenAlgorithm, privateKeyName, - privateKeyLabel, + explicitOwnerPrivate, publicKeyName, - publicKeyLabel, + explicitOwnerPublic, policyPrivateKey, policyPublicKey); } @@ -372,8 +371,8 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) case LogicCommand::GET_CHAIN_ALIAS: { RawBuffer certificate; - LabelNameVector untrustedVector; - LabelNameVector trustedVector; + OwnerNameVector untrustedVector; + OwnerNameVector trustedVector; bool systemCerts = false; buffer.Deserialize(certificate, untrustedVector, trustedVector, systemCerts); return m_logic->getCertificateChain( @@ -390,13 +389,13 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) RawBuffer message; CryptoAlgorithmSerializable cAlgorithm; - buffer.Deserialize(name, label, password, message, cAlgorithm); + buffer.Deserialize(name, explicitOwner, password, message, cAlgorithm); return m_logic->createSignature( cred, msgID, name, - label, + explicitOwner, password, // password for private_key message, cAlgorithm); @@ -409,7 +408,7 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) CryptoAlgorithmSerializable cAlg; buffer.Deserialize(name, - label, + explicitOwner, password, message, signature, @@ -419,7 +418,7 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) cred, msgID, name, - label, + explicitOwner, password, // password for public_key (optional) message, signature, @@ -428,14 +427,14 @@ RawBuffer CKMService::ProcessStorage(Credentials &cred, MessageBuffer &buffer) case LogicCommand::SET_PERMISSION: { PermissionMask permissionMask = 0; - buffer.Deserialize(name, label, accessorLabel, permissionMask); + buffer.Deserialize(name, explicitOwner, accessor, permissionMask); return m_logic->setPermission( cred, command, msgID, name, - label, - accessorLabel, + explicitOwner, + accessor, permissionMask); } @@ -449,7 +448,7 @@ void CKMService::ProcessMessage(MsgKeyRequest msg) Crypto::GObjShPtr key; int ret = m_logic->getKeyForService(msg.cred, msg.name, - msg.label, + msg.explicitOwner, msg.password, key); MsgKeyResponse kResp(msg.id, key, ret); diff --git a/src/manager/service/crypto-logic.cpp b/src/manager/service/crypto-logic.cpp index 3cbfedb8..d15a37c2 100644 --- a/src/manager/service/crypto-logic.cpp +++ b/src/manager/service/crypto-logic.cpp @@ -67,30 +67,30 @@ CryptoLogic &CryptoLogic::operator=(CryptoLogic &&second) return *this; } -bool CryptoLogic::haveKey(const Label &smackLabel) +bool CryptoLogic::haveKey(const ClientId &client) { - return (m_keyMap.count(smackLabel) > 0); + return (m_keyMap.count(client) > 0); } -void CryptoLogic::pushKey(const Label &smackLabel, +void CryptoLogic::pushKey(const ClientId &client, const RawBuffer &applicationKey) { - if (smackLabel.length() == 0) - ThrowErr(Exc::InternalError, "Empty smack label."); + if (client.empty()) + ThrowErr(Exc::InternalError, "Empty client id."); if (applicationKey.size() == 0) ThrowErr(Exc::InternalError, "Empty application key."); - if (haveKey(smackLabel)) - ThrowErr(Exc::InternalError, "Application key for ", smackLabel, - "label already exists."); + if (haveKey(client)) + ThrowErr(Exc::InternalError, "Application key for ", client, + " already exists."); - m_keyMap[smackLabel] = applicationKey; + m_keyMap[client] = applicationKey; } -void CryptoLogic::removeKey(const Label &smackLabel) +void CryptoLogic::removeKey(const ClientId &client) { - m_keyMap.erase(smackLabel); + m_keyMap.erase(client); } RawBuffer CryptoLogic::passwordToKey( @@ -134,14 +134,14 @@ void CryptoLogic::encryptRow(DB::Row &row) if (crow.dataSize <= 0) ThrowErr(Exc::InternalError, "Invalid dataSize."); - if (!haveKey(row.ownerLabel)) + if (!haveKey(row.owner)) ThrowErr(Exc::InternalError, "Missing application key for ", - row.ownerLabel, " label."); + row.owner, " client."); if (crow.iv.empty()) crow.iv = generateRandIV(); - key = m_keyMap[row.ownerLabel]; + key = m_keyMap[row.owner]; CLEAR_FLAGS(crow.encryptionScheme); SET_FLAG(ENCR_APPKEY, crow.encryptionScheme); @@ -186,11 +186,11 @@ void CryptoLogic::decryptRow(const Password &password, DB::Row &row) ThrowErr(Exc::AuthenticationFailed, "DB row is not password protected, but given password is not empty."); - if (GET_FLAG(ENCR_APPKEY, row.encryptionScheme) && !haveKey(row.ownerLabel)) + if (GET_FLAG(ENCR_APPKEY, row.encryptionScheme) && !haveKey(row.owner)) ThrowErr(Exc::AuthenticationFailed, "Missing application key for ", - row.ownerLabel, - " label."); + row.owner, + " client."); decBase64(crow.iv); @@ -200,7 +200,7 @@ void CryptoLogic::decryptRow(const Password &password, DB::Row &row) try { if (GET_ENCRYPTION_VERSION(crow.encryptionScheme) == ENCRYPTION_V2) { if (GET_FLAG(ENCR_APPKEY, crow.encryptionScheme)) { - key = m_keyMap[crow.ownerLabel]; + key = m_keyMap[crow.owner]; crow.data = Crypto::SW::Internals::decryptDataAesGcm(key, crow.data, crow.iv, crow.tag); } @@ -212,7 +212,7 @@ void CryptoLogic::decryptRow(const Password &password, DB::Row &row) } if (GET_FLAG(ENCR_APPKEY, crow.encryptionScheme)) { - key = m_keyMap[crow.ownerLabel]; + key = m_keyMap[crow.owner]; crow.data = Crypto::SW::Internals::decryptDataAesGcm(key, crow.data, crow.iv, crow.tag); } diff --git a/src/manager/service/crypto-logic.h b/src/manager/service/crypto-logic.h index fab4cf9b..154b1b24 100644 --- a/src/manager/service/crypto-logic.h +++ b/src/manager/service/crypto-logic.h @@ -43,10 +43,10 @@ public: static int getSchemeVersion(int encryptionScheme); - bool haveKey(const Label &smackLabel); - void pushKey(const Label &smackLabel, + bool haveKey(const ClientId &client); + void pushKey(const ClientId &client, const RawBuffer &applicationKey); - void removeKey(const Label &smackLabel); + void removeKey(const ClientId &client); /* * v1 encryption. @@ -101,7 +101,7 @@ private: return encryptionScheme >> ENCR_ORDER_OFFSET; } - std::map<Label, RawBuffer> m_keyMap; + std::map<ClientId, RawBuffer> m_keyMap; RawBuffer generateRandIV() const; RawBuffer passwordToKey(const Password &password, diff --git a/src/manager/service/crypto-request.h b/src/manager/service/crypto-request.h index 83ccab5c..467c9c76 100644 --- a/src/manager/service/crypto-request.h +++ b/src/manager/service/crypto-request.h @@ -34,7 +34,7 @@ struct CryptoRequest { int msgId; CryptoAlgorithmSerializable cas; Name name; - Label label; + ClientId explicitOwner; Password password; RawBuffer input; }; diff --git a/src/manager/service/db-crypto.cpp b/src/manager/service/db-crypto.cpp index 9395386e..2bc2a92e 100644 --- a/src/manager/service/db-crypto.cpp +++ b/src/manager/service/db-crypto.cpp @@ -81,7 +81,7 @@ const char *DB_CMD_NAME_COUNT_ROWS = const char *DB_CMD_NAME_DELETE = "DELETE FROM NAMES WHERE name=?101 AND label=?102;"; -const char *DB_CMD_NAME_DELETE_BY_LABEL = +const char *DB_CMD_NAME_DELETE_BY_OWNER = "DELETE FROM NAMES WHERE label=?102;"; @@ -107,7 +107,7 @@ const char *DB_CMD_OBJECT_UPDATE = " WHERE idx IN (SELECT idx FROM NAMES WHERE name=?101 and label=?102)" " AND dataType = ?002;"; -const char *DB_CMD_OBJECT_SELECT_BY_NAME_AND_LABEL = +const char *DB_CMD_OBJECT_SELECT_BY_NAME_AND_OWNER = "SELECT * FROM [join_name_object_tables] " " WHERE (dataType BETWEEN ?001 AND ?002) " " AND name=?101 and label=?102;"; @@ -338,7 +338,7 @@ void Crypto::resetDB() transaction.commit(); } -bool Crypto::isNameLabelPresent(const Name &name, const Label &owner) const +bool Crypto::isNameOwnerPresent(const Name &name, const ClientId &owner) const { try { NameTable nameTable(this->m_connection); @@ -350,10 +350,10 @@ bool Crypto::isNameLabelPresent(const Name &name, const Label &owner) const } ThrowErr(Exc::DatabaseFailed, - "Couldn't check if name and label pair is present"); + "Couldn't check if name and owner pair is present"); } -void Crypto::saveRows(const Name &name, const Label &owner, +void Crypto::saveRows(const Name &name, const ClientId &owner, const RowVector &rows) { try { @@ -389,11 +389,11 @@ void Crypto::saveRow(const Row &row) NameTable nameTable(this->m_connection); ObjectTable objectTable(this->m_connection); PermissionTable permissionTable(this->m_connection); - nameTable.addRow(row.name, row.ownerLabel); + nameTable.addRow(row.name, row.owner); objectTable.addRow(row); permissionTable.setPermission(row.name, - row.ownerLabel, - row.ownerLabel, + row.owner, + row.owner, static_cast<int>(DEFAULT_PERMISSIONS)); return; } catch (const SqlConnection::Exception::SyntaxError &) { @@ -423,14 +423,14 @@ void Crypto::updateRow(const Row &row) bool Crypto::deleteRow( const Name &name, - const Label &ownerLabel) + const ClientId &owner) { try { // transaction is present in the layer above NameTable nameTable(this->m_connection); - if (nameTable.isPresent(name, ownerLabel)) { - nameTable.deleteRow(name, ownerLabel); + if (nameTable.isPresent(name, owner)) { + nameTable.deleteRow(name, owner); return true; } @@ -442,7 +442,7 @@ bool Crypto::deleteRow( } ThrowErr(Exc::DatabaseFailed, - "Couldn't delete Row for name ", name, " using ownerLabel ", ownerLabel); + "Couldn't delete Row for name ", name, " using owner id ", owner); } Row Crypto::getRow( @@ -450,7 +450,7 @@ Row Crypto::getRow( { Row row; row.name = selectCommand->GetColumnString(0); - row.ownerLabel = selectCommand->GetColumnString(1); + row.owner = selectCommand->GetColumnString(1); row.exportable = selectCommand->GetColumnInteger(2); row.dataType = DataType(selectCommand->GetColumnInteger(3)); row.algorithmType = @@ -466,12 +466,12 @@ Row Crypto::getRow( PermissionMaskOptional Crypto::getPermissionRow( const Name &name, - const Label &ownerLabel, - const Label &accessorLabel) const + const ClientId &owner, + const ClientId &accessor) const { try { PermissionTable permissionTable(this->m_connection); - return permissionTable.getPermissionRow(name, ownerLabel, accessorLabel); + return permissionTable.getPermissionRow(name, owner, accessor); } catch (const SqlConnection::Exception::InvalidColumn &) { LogError("Select statement invalid column error"); } catch (const SqlConnection::Exception::SyntaxError &) { @@ -485,27 +485,27 @@ PermissionMaskOptional Crypto::getPermissionRow( Crypto::RowOptional Crypto::getRow( const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType type) { - return getRow(name, ownerLabel, type, type); + return getRow(name, owner, type, type); } Crypto::RowOptional Crypto::getRow( const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType typeRangeStart, DataType typeRangeStop) { try { SqlConnection::DataCommandUniquePtr selectCommand = - m_connection->PrepareDataCommand(DB_CMD_OBJECT_SELECT_BY_NAME_AND_LABEL); + m_connection->PrepareDataCommand(DB_CMD_OBJECT_SELECT_BY_NAME_AND_OWNER); selectCommand->BindInteger(1, typeRangeStart); selectCommand->BindInteger(2, typeRangeStop); // name table reference selectCommand->BindString(101, name.c_str()); - selectCommand->BindString(102, ownerLabel.c_str()); + selectCommand->BindString(102, owner.c_str()); if (selectCommand->Step()) { // extract data @@ -528,34 +528,34 @@ Crypto::RowOptional Crypto::getRow( "Couldn't get row of type <", static_cast<int>(typeRangeStart), ",", static_cast<int>(typeRangeStop), ">", - " name ", name, " with owner label ", ownerLabel); + " name ", name, " with owner ", owner); } void Crypto::getRows( const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType type, RowVector &output) { - getRows(name, ownerLabel, type, type, output); + getRows(name, owner, type, type, output); } void Crypto::getRows( const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType typeRangeStart, DataType typeRangeStop, RowVector &output) { try { SqlConnection::DataCommandUniquePtr selectCommand = - m_connection->PrepareDataCommand(DB_CMD_OBJECT_SELECT_BY_NAME_AND_LABEL); + m_connection->PrepareDataCommand(DB_CMD_OBJECT_SELECT_BY_NAME_AND_OWNER); selectCommand->BindInteger(1, typeRangeStart); selectCommand->BindInteger(2, typeRangeStop); // name table reference selectCommand->BindString(101, name.c_str()); - selectCommand->BindString(102, ownerLabel.c_str()); + selectCommand->BindString(102, owner.c_str()); while (selectCommand->Step()) { // extract data @@ -575,20 +575,20 @@ void Crypto::getRows( "Couldn't get row of type <", static_cast<int>(typeRangeStart), ",", static_cast<int>(typeRangeStop), ">", - " name ", name, " with owner label ", ownerLabel); + " name ", name, " with owner label ", owner); } void Crypto::listNames( - const Label &smackLabel, - LabelNameVector &labelNameVector, + const ClientId &owner, + OwnerNameVector &ownerNameVector, DataType type) { - listNames(smackLabel, labelNameVector, type, type); + listNames(owner, ownerNameVector, type, type); } void Crypto::listNames( - const Label &smackLabel, - LabelNameVector &labelNameVector, + const ClientId &owner, + OwnerNameVector &ownerNameVector, DataType typeRangeStart, DataType typeRangeStop) { @@ -598,14 +598,14 @@ void Crypto::listNames( m_connection->PrepareDataCommand(DB_CMD_NAME_SELECT_BY_TYPE_AND_PERMISSION); selectCommand->BindInteger(1, static_cast<int>(typeRangeStart)); selectCommand->BindInteger(2, static_cast<int>(typeRangeStop)); - selectCommand->BindString(104, smackLabel.c_str()); + selectCommand->BindString(104, owner.c_str()); selectCommand->BindInteger(4, static_cast<int>(Permission::READ | Permission::REMOVE)); while (selectCommand->Step()) { - Label ownerLabel = selectCommand->GetColumnString(0); - Name name = selectCommand->GetColumnString(1); - labelNameVector.push_back(std::make_pair(ownerLabel, name)); + ClientId itemOwner = selectCommand->GetColumnString(0); + Name itemName = selectCommand->GetColumnString(1); + ownerNameVector.push_back(std::make_pair(itemOwner, itemName)); } return; @@ -621,17 +621,17 @@ void Crypto::listNames( "Couldn't list names of type <", static_cast<int>(typeRangeStart), ",", static_cast<int>(typeRangeStop), ">", - " accessible to client label ", smackLabel); + " accessible to client ", owner); } void Crypto::saveKey( - const Label &label, + const ClientId &owner, const RawBuffer &key) { try { SqlConnection::DataCommandUniquePtr insertCommand = m_connection->PrepareDataCommand(DB_CMD_KEY_INSERT); - insertCommand->BindString(1, label.c_str()); + insertCommand->BindString(1, owner.c_str()); insertCommand->BindBlob(2, key); insertCommand->Step(); return; @@ -641,15 +641,15 @@ void Crypto::saveKey( LogError("Couldn't execute insert statement"); } - ThrowErr(Exc::DatabaseFailed, "Couldn't save key for label ", label); + ThrowErr(Exc::DatabaseFailed, "Couldn't save key for owner ", owner); } -Crypto::RawBufferOptional Crypto::getKey(const Label &label) +Crypto::RawBufferOptional Crypto::getKey(const ClientId &owner) { try { SqlConnection::DataCommandUniquePtr selectCommand = m_connection->PrepareDataCommand(DB_CMD_KEY_SELECT); - selectCommand->BindString(1, label.c_str()); + selectCommand->BindString(1, owner.c_str()); if (selectCommand->Step()) return RawBufferOptional(selectCommand->GetColumnBlob(0)); @@ -663,21 +663,21 @@ Crypto::RawBufferOptional Crypto::getKey(const Label &label) LogError("Couldn't execute insert statement"); } - ThrowErr(Exc::DatabaseFailed, "Couldn't get key for label ", label); + ThrowErr(Exc::DatabaseFailed, "Couldn't get key for owner ", owner); } -void Crypto::deleteKey(const Label &label) +void Crypto::deleteKey(const ClientId &owner) { try { Transaction transaction(this); SqlConnection::DataCommandUniquePtr deleteCommand = m_connection->PrepareDataCommand(DB_CMD_KEY_DELETE); - deleteCommand->BindString(1, label.c_str()); + deleteCommand->BindString(1, owner.c_str()); deleteCommand->Step(); NameTable nameTable(this->m_connection); - nameTable.deleteAllRows(label); + nameTable.deleteAllRows(owner); transaction.commit(); return; @@ -687,18 +687,18 @@ void Crypto::deleteKey(const Label &label) LogError("Couldn't execute insert statement"); } - ThrowErr(Exc::DatabaseFailed, "Couldn't delete key for label ", label); + ThrowErr(Exc::DatabaseFailed, "Couldn't delete key for owner ", owner); } void Crypto::setPermission( const Name &name, - const Label &ownerLabel, - const Label &accessorLabel, + const ClientId &owner, + const ClientId &accessor, const PermissionMask permissionMask) { try { PermissionTable permissionTable(this->m_connection); - permissionTable.setPermission(name, ownerLabel, accessorLabel, permissionMask); + permissionTable.setPermission(name, owner, accessor, permissionMask); return; } catch (const SqlConnection::Exception::SyntaxError &) { LogError("Couldn't prepare set statement"); @@ -745,45 +745,45 @@ bool Crypto::SchemaInfo::getVersionInfo(int &version) const void Crypto::PermissionTable::setPermission( const Name &name, - const Label &ownerLabel, - const Label &accessorLabel, + const ClientId &owner, + const ClientId &accessor, const PermissionMask permissionMask) { if (permissionMask == Permission::NONE) { // clear permissions SqlConnection::DataCommandUniquePtr deletePermissionCommand = m_connection->PrepareDataCommand(DB_CMD_PERMISSION_DELETE); - deletePermissionCommand->BindString(104, accessorLabel.c_str()); + deletePermissionCommand->BindString(104, accessor.c_str()); deletePermissionCommand->BindString(101, name.c_str()); - deletePermissionCommand->BindString(102, ownerLabel.c_str()); + deletePermissionCommand->BindString(102, owner.c_str()); deletePermissionCommand->Step(); } else { // add new permissions SqlConnection::DataCommandUniquePtr setPermissionCommand = m_connection->PrepareDataCommand(DB_CMD_PERMISSION_SET); - setPermissionCommand->BindString(104, accessorLabel.c_str()); + setPermissionCommand->BindString(104, accessor.c_str()); setPermissionCommand->BindInteger(105, static_cast<int>(permissionMask)); setPermissionCommand->BindString(101, name.c_str()); - setPermissionCommand->BindString(102, ownerLabel.c_str()); + setPermissionCommand->BindString(102, owner.c_str()); setPermissionCommand->Step(); } } PermissionMaskOptional Crypto::PermissionTable::getPermissionRow( const Name &name, - const Label &ownerLabel, - const Label &accessorLabel) const + const ClientId &owner, + const ClientId &accessor) const { SqlConnection::DataCommandUniquePtr selectCommand = m_connection->PrepareDataCommand(DB_CMD_PERMISSION_SELECT); - selectCommand->BindString(104, accessorLabel.c_str()); + selectCommand->BindString(104, accessor.c_str()); // name table reference selectCommand->BindString(101, name.c_str()); - selectCommand->BindString(102, ownerLabel.c_str()); + selectCommand->BindString(102, owner.c_str()); if (selectCommand->Step()) { - // there is entry for the <name, ownerLabel> pair + // there is entry for the <name, owner> pair return PermissionMaskOptional(PermissionMask(selectCommand->GetColumnInteger( 0))); } @@ -793,35 +793,35 @@ PermissionMaskOptional Crypto::PermissionTable::getPermissionRow( void Crypto::NameTable::addRow( const Name &name, - const Label &ownerLabel) + const ClientId &owner) { // insert NAMES item SqlConnection::DataCommandUniquePtr insertNameCommand = m_connection->PrepareDataCommand(DB_CMD_NAME_INSERT); insertNameCommand->BindString(101, name.c_str()); - insertNameCommand->BindString(102, ownerLabel.c_str()); + insertNameCommand->BindString(102, owner.c_str()); insertNameCommand->Step(); } void Crypto::NameTable::deleteRow( const Name &name, - const Label &ownerLabel) + const ClientId &ownerOwner) { SqlConnection::DataCommandUniquePtr deleteCommand = m_connection->PrepareDataCommand(DB_CMD_NAME_DELETE); deleteCommand->BindString(101, name.c_str()); - deleteCommand->BindString(102, ownerLabel.c_str()); + deleteCommand->BindString(102, ownerOwner.c_str()); // Step() result code does not provide information whether // anything was removed. deleteCommand->Step(); } -void Crypto::NameTable::deleteAllRows(const Label &ownerLabel) +void Crypto::NameTable::deleteAllRows(const ClientId &owner) { SqlConnection::DataCommandUniquePtr deleteData = - m_connection->PrepareDataCommand(DB_CMD_NAME_DELETE_BY_LABEL); - deleteData->BindString(102, ownerLabel.c_str()); + m_connection->PrepareDataCommand(DB_CMD_NAME_DELETE_BY_OWNER); + deleteData->BindString(102, owner.c_str()); // Step() result code does not provide information whether // anything was removed. @@ -829,16 +829,16 @@ void Crypto::NameTable::deleteAllRows(const Label &ownerLabel) } bool Crypto::NameTable::isPresent(const Name &name, - const Label &ownerLabel) const + const ClientId &owner) const { SqlConnection::DataCommandUniquePtr checkCmd = m_connection->PrepareDataCommand(DB_CMD_NAME_COUNT_ROWS); checkCmd->BindString(101, name.c_str()); - checkCmd->BindString(102, ownerLabel.c_str()); + checkCmd->BindString(102, owner.c_str()); if (checkCmd->Step()) { int element_count = checkCmd->GetColumnInteger(0); - LogDebug("Item name: " << name << " ownerLabel: " << ownerLabel << + LogDebug("Item name: " << name << " owner: " << owner << " hit count: " << element_count); if (element_count > 0) @@ -864,7 +864,7 @@ void Crypto::ObjectTable::addRow(const Row &row) // name table reference insertObjectCommand->BindString(101, row.name.c_str()); - insertObjectCommand->BindString(102, row.ownerLabel.c_str()); + insertObjectCommand->BindString(102, row.owner.c_str()); insertObjectCommand->Step(); } @@ -883,7 +883,7 @@ void Crypto::ObjectTable::updateRow(const Row &row) // name table reference updateObjectCommand->BindString(101, row.name.c_str()); - updateObjectCommand->BindString(102, row.ownerLabel.c_str()); + updateObjectCommand->BindString(102, row.owner.c_str()); updateObjectCommand->Step(); } diff --git a/src/manager/service/db-crypto.h b/src/manager/service/db-crypto.h index f4021c32..65ef3a38 100644 --- a/src/manager/service/db-crypto.h +++ b/src/manager/service/db-crypto.h @@ -60,71 +60,71 @@ public: void saveRows( const Name &name, - const Label &owner, + const ClientId &owner, const RowVector &rows); void updateRow( const Row &row); - bool isNameLabelPresent( + bool isNameOwnerPresent( const Name &name, - const Label &owner) const; + const ClientId &owner) const; RowOptional getRow( const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType type); RowOptional getRow( const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType typeRangeStart, DataType typeRangeStop); void getRows( const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType type, RowVector &output); void getRows( const Name &name, - const Label &ownerLabel, + const ClientId &owner, DataType typeRangeStart, DataType typeRangeStop, RowVector &output); void listNames( - const Label &smackLabel, - LabelNameVector &labelNameVector, + const ClientId &owner, + OwnerNameVector &ownerNameVector, DataType type); void listNames( - const Label &smackLabel, - LabelNameVector &labelNameVector, + const ClientId &owner, + OwnerNameVector &ownerNameVector, DataType typeRangeStart, DataType typeRangeStop); bool deleteRow( const Name &name, - const Label &ownerLabel); + const ClientId &owner); // keys - void saveKey(const Label &label, const RawBuffer &key); - RawBufferOptional getKey(const Label &label); - void deleteKey(const Label &label); + void saveKey(const ClientId &owner, const RawBuffer &key); + RawBufferOptional getKey(const ClientId &owner); + void deleteKey(const ClientId &owner); // permissions void setPermission( const Name &name, - const Label &ownerLabel, - const Label &accessorLabel, + const ClientId &owner, + const ClientId &accessor, const PermissionMask permissionMask); PermissionMaskOptional getPermissionRow( const Name &name, - const Label &ownerLabel, - const Label &accessorLabel) const; + const ClientId &owner, + const ClientId &accessor) const; // transactions int beginTransaction(); @@ -247,18 +247,18 @@ public: void addRow( const Name &name, - const Label &ownerLabel); + const ClientId &owner); void deleteRow( const Name &name, - const Label &ownerLabel); + const ClientId &owner); void deleteAllRows( - const Label &ownerLabel); + const ClientId &owner); bool isPresent( const Name &name, - const Label &ownerLabel) const; + const ClientId &owner) const; private: SqlConnection *m_connection; @@ -284,14 +284,14 @@ public: void setPermission( const Name &name, - const Label &ownerLabel, - const Label &accessorLabel, + const ClientId &owner, + const ClientId &accessor, const PermissionMask permissionMask); PermissionMaskOptional getPermissionRow( const Name &name, - const Label &ownerLabel, - const Label &accessorLabel) const; + const ClientId &owner, + const ClientId &accessor) const; private: SqlConnection *m_connection; diff --git a/src/manager/service/db-row.h b/src/manager/service/db-row.h index 0f171bad..c709ed26 100644 --- a/src/manager/service/db-row.h +++ b/src/manager/service/db-row.h @@ -37,17 +37,17 @@ struct Row : public Token { encryptionScheme(0), dataSize(0) {} - Row(Token token, const Name &pName, const Label &pLabel, int pExportable) : + Row(Token token, const Name &pName, const ClientId &pOwner, int pExportable) : Token(std::move(token)), name(pName), - ownerLabel(pLabel), + owner(pOwner), exportable(pExportable), algorithmType(DBCMAlgType::NONE), encryptionScheme(0), dataSize(data.size()) {} Name name; - Label ownerLabel; + ClientId owner; int exportable; DBCMAlgType algorithmType; // Algorithm type used for row data encryption int encryptionScheme; // for example: (ENCR_BASE64 | ENCR_PASSWORD) diff --git a/src/manager/service/encryption-service.cpp b/src/manager/service/encryption-service.cpp index e4035848..5289f830 100644 --- a/src/manager/service/encryption-service.cpp +++ b/src/manager/service/encryption-service.cpp @@ -57,8 +57,8 @@ void EncryptionService::RespondToClient(const CryptoRequest &request, void EncryptionService::RequestKey(const CryptoRequest &request) { - MsgKeyRequest kReq(request.msgId, request.cred, request.name, request.label, - request.password); + MsgKeyRequest kReq(request.msgId, request.cred, request.name, + request.explicitOwner, request.password); if (!m_commMgr->SendMessage(kReq)) throw std::runtime_error("No listener found");// TODO @@ -127,7 +127,7 @@ void EncryptionService::ProcessEncryption(const ConnectionID &conn, int tmpCmd = 0; CryptoRequest req; - buffer.Deserialize(tmpCmd, req.msgId, req.cas, req.name, req.label, + buffer.Deserialize(tmpCmd, req.msgId, req.cas, req.name, req.explicitOwner, req.password, req.input); req.command = static_cast<EncryptionCommand>(tmpCmd); diff --git a/src/manager/service/file-system.cpp b/src/manager/service/file-system.cpp index 2da77035..79f80811 100644 --- a/src/manager/service/file-system.cpp +++ b/src/manager/service/file-system.cpp @@ -143,11 +143,11 @@ void FileSystem::saveDBDEK(const RawBuffer &buffer) const saveFile(getDBDEKPath(), buffer); } -void FileSystem::addRemovedApp(const std::string &smackLabel) const +void FileSystem::addRemovedApp(const ClientId &app) const { std::ofstream outfile; outfile.open(getRemovedAppsPath(), std::ios_base::app); - outfile << smackLabel << std::endl; + outfile << app << std::endl; outfile.close(); if (outfile.fail()) { @@ -157,10 +157,10 @@ void FileSystem::addRemovedApp(const std::string &smackLabel) const } } -AppLabelVector FileSystem::clearRemovedsApps() const +ClientIdVector FileSystem::clearRemovedsApps() const { // read the contents - AppLabelVector removedApps; + ClientIdVector removedApps; std::string line; std::ifstream removedAppsFile(getRemovedAppsPath()); diff --git a/src/manager/service/file-system.h b/src/manager/service/file-system.h index 2ed9e310..287fbf61 100644 --- a/src/manager/service/file-system.h +++ b/src/manager/service/file-system.h @@ -27,7 +27,7 @@ namespace CKM { -typedef std::vector<std::string> AppLabelVector; +typedef std::vector<ClientId> ClientIdVector; typedef std::vector<uid_t> UidVector; class FileSystem { @@ -47,8 +47,8 @@ public: // Remove all ckm data related to user int removeUserData() const; - void addRemovedApp(const std::string &smackLabel) const; - AppLabelVector clearRemovedsApps() const; + void addRemovedApp(const ClientId &app) const; + ClientIdVector clearRemovedsApps() const; static int init(); static UidVector getUIDsFromDBFile(); diff --git a/src/manager/service/key-provider.cpp b/src/manager/service/key-provider.cpp index 98dedd4a..95c68af6 100644 --- a/src/manager/service/key-provider.cpp +++ b/src/manager/service/key-provider.cpp @@ -67,12 +67,12 @@ void WrappedKeyAndInfoContainer::setKeyInfoKeyLength(const unsigned int length) wrappedKeyAndInfo->keyInfo.keyLength = length; } -void WrappedKeyAndInfoContainer::setKeyInfoLabel(const std::string label) +void WrappedKeyAndInfoContainer::setKeyInfoClient(const std::string resized_client) { strncpy( - wrappedKeyAndInfo->keyInfo.label, - label.c_str(), - MAX_LABEL_SIZE-1); + wrappedKeyAndInfo->keyInfo.client, + resized_client.c_str(), + MAX_CLIENT_ID_SIZE-1); } void WrappedKeyAndInfoContainer::setKeyInfoSalt(const unsigned char *salt, @@ -165,7 +165,7 @@ KeyProvider::KeyProvider( uint8_t PKEK1[MAX_KEY_SIZE]; concat_user_pass = concat_password_user( - wkmcDKEK.getWrappedKeyAndInfo().keyInfo.label, + wkmcDKEK.getWrappedKeyAndInfo().keyInfo.client, password.c_str()); if (!PKCS5_PBKDF2_HMAC_SHA1( @@ -249,7 +249,7 @@ RawBuffer KeyProvider::getWrappedDomainKEK(const Password &password) uint8_t PKEK1[MAX_KEY_SIZE]; concat_user_pass = concat_password_user( - m_kmcDKEK->getKeyAndInfo().keyInfo.label, + m_kmcDKEK->getKeyAndInfo().keyInfo.client, password.c_str()); if (!PKCS5_PBKDF2_HMAC_SHA1( @@ -307,8 +307,8 @@ RawBuffer KeyProvider::getPureDEK(const RawBuffer &DEKInWrapForm) int keyLength; if (!PKCS5_PBKDF2_HMAC_SHA1( - wkmcDEK.getWrappedKeyAndInfo().keyInfo.label, - strlen(wkmcDEK.getWrappedKeyAndInfo().keyInfo.label), + wkmcDEK.getWrappedKeyAndInfo().keyInfo.client, + strlen(wkmcDEK.getWrappedKeyAndInfo().keyInfo.client), m_kmcDKEK->getKeyAndInfo().key, MAX_SALT_SIZE, PBKDF2_ITERATIONS, @@ -334,18 +334,18 @@ RawBuffer KeyProvider::getPureDEK(const RawBuffer &DEKInWrapForm) (kmcDEK.getKeyAndInfo().key) + kmcDEK.getKeyAndInfo().keyInfo.keyLength); } -RawBuffer KeyProvider::generateDEK(const std::string &smackLabel) +RawBuffer KeyProvider::generateDEK(const ClientId &client) { if (!m_isInitialized) ThrowErr(Exc::InternalError, "Object not initialized!"); WrappedKeyAndInfoContainer wkmcDEK = WrappedKeyAndInfoContainer(); - std::string resized_smackLabel; + std::string resized_client; - if (smackLabel.length() < APP_LABEL_SIZE) - resized_smackLabel = smackLabel; + if (client.length() < MAX_CLIENT_ID_SIZE) + resized_client = client; else - resized_smackLabel = smackLabel.substr(0, APP_LABEL_SIZE - 1); + resized_client = client.substr(0, MAX_CLIENT_ID_SIZE - 1); uint8_t key[MAX_KEY_SIZE], PKEK2[MAX_KEY_SIZE]; @@ -354,8 +354,8 @@ RawBuffer KeyProvider::generateDEK(const std::string &smackLabel) ThrowErr(Exc::InternalError, "OPENSSL_ENGINE_ERROR"); if (!PKCS5_PBKDF2_HMAC_SHA1( - resized_smackLabel.c_str(), - strlen(resized_smackLabel.c_str()), + resized_client.c_str(), + strlen(resized_client.c_str()), m_kmcDKEK->getKeyAndInfo().key, MAX_SALT_SIZE, PBKDF2_ITERATIONS, @@ -375,7 +375,7 @@ RawBuffer KeyProvider::generateDEK(const std::string &smackLabel) ThrowErr(Exc::InternalError, "GenerateDEK Failed in KeyProvider::generateDEK"); wkmcDEK.setKeyInfoKeyLength((unsigned int)wrappedKeyLength); - wkmcDEK.setKeyInfoLabel(resized_smackLabel); + wkmcDEK.setKeyInfoClient(resized_client); LogDebug("GenerateDEK Success"); return toRawBuffer(wkmcDEK.getWrappedKeyAndInfo()); @@ -405,7 +405,7 @@ RawBuffer KeyProvider::reencrypt( concat_user_pass = concat_password_user( - wkmcOldDKEK.getWrappedKeyAndInfo().keyInfo.label, + wkmcOldDKEK.getWrappedKeyAndInfo().keyInfo.client, oldPass.c_str()); if (!PKCS5_PBKDF2_HMAC_SHA1( @@ -435,7 +435,7 @@ RawBuffer KeyProvider::reencrypt( kmcDKEK.setKeyInfoKeyLength((unsigned int)keyLength); concat_user_pass = concat_password_user( - kmcDKEK.getKeyAndInfo().keyInfo.label, + kmcDKEK.getKeyAndInfo().keyInfo.client, newPass.c_str()); if (!PKCS5_PBKDF2_HMAC_SHA1( @@ -513,7 +513,7 @@ RawBuffer KeyProvider::generateDomainKEK( "GenerateDomainKEK Failed in KeyProvider::generateDomainKEK"); wkmcDKEK.setKeyInfoKeyLength((unsigned int)wrappedKeyLength); - wkmcDKEK.setKeyInfoLabel(user); + wkmcDKEK.setKeyInfoClient(user); LogDebug("generateDomainKEK Success"); return toRawBuffer(wkmcDKEK.getWrappedKeyAndInfo()); @@ -621,8 +621,8 @@ char *KeyProvider::concat_password_user(const char *user, const char *password) std::string result(password); result += user; - if (strlen(user) > MAX_LABEL_SIZE - 1) - result.resize(strlen(password) + MAX_LABEL_SIZE - 1); + if (strlen(user) > MAX_CLIENT_ID_SIZE - 1) + result.resize(strlen(password) + MAX_CLIENT_ID_SIZE - 1); char *ret = new char[result.size() + 1]; memcpy(ret, result.c_str(), result.size() + 1); diff --git a/src/manager/service/key-provider.h b/src/manager/service/key-provider.h index 82b79e62..9994c905 100644 --- a/src/manager/service/key-provider.h +++ b/src/manager/service/key-provider.h @@ -57,15 +57,14 @@ #define MAX_SALT_SIZE 16 #define MAX_KEY_SIZE 32 #define MAX_WRAPPED_KEY_SIZE 32 -#define MAX_LABEL_SIZE 32 +#define MAX_CLIENT_ID_SIZE 32 #define DOMAIN_NAME_SIZE 32 -#define APP_LABEL_SIZE 32 namespace CKM { typedef struct KeyComponentsInfo_ { uint32_t keyLength; - char label[MAX_LABEL_SIZE]; + char client[MAX_CLIENT_ID_SIZE]; uint8_t salt[MAX_SALT_SIZE]; uint8_t iv[MAX_IV_SIZE]; uint8_t tag[MAX_IV_SIZE]; @@ -87,7 +86,7 @@ public: WrappedKeyAndInfoContainer(const unsigned char *); WrappedKeyAndInfo &getWrappedKeyAndInfo(); void setKeyInfoKeyLength(const unsigned int); - void setKeyInfoLabel(const std::string); + void setKeyInfoClient(const std::string); void setKeyInfoSalt(const unsigned char *, const int); void setKeyInfo(const KeyComponentsInfo *); ~WrappedKeyAndInfoContainer(); @@ -141,10 +140,10 @@ public: // This key will be used to decrypt/encrypt data in ROW RawBuffer getPureDEK(const RawBuffer &DEKInWrapForm); - // Returns WRAPPED DEK. This will be written to datbase. + // Returns WRAPPED DEK. This will be written to database. // This key will be used to encrypt all application information. - // All application are identified by smackLabel. - RawBuffer generateDEK(const std::string &smackLabel); + // All application are identified by client id. + RawBuffer generateDEK(const ClientId &client); // used by change user password. On error -> exception static RawBuffer reencrypt( diff --git a/src/manager/service/permission.cpp b/src/manager/service/permission.cpp new file mode 100644 index 00000000..e6e930af --- /dev/null +++ b/src/manager/service/permission.cpp @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/* + * @file permission.cpp + * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) + * @version 1.0 + */ + +#include <permission.h> + +namespace CKM { + +PermissionMask toPermissionMask(const PermissionMaskOptional& mask) +{ + return mask ? *mask : Permission::NONE; +} + +} // namespace CKM diff --git a/src/manager/service/permission.h b/src/manager/service/permission.h index b0218ba1..a4860c14 100644 --- a/src/manager/service/permission.h +++ b/src/manager/service/permission.h @@ -17,7 +17,7 @@ * @file permission.h * @author Maciej Karpiuk (m.karpiuk2@samsung.com) * @version 1.0 - * @brief PermissionForLabel - helper to bind permissions with accessor label. + * @brief toPermissionMask - PermissionMaskOptional conversion helper. */ #pragma once @@ -26,23 +26,7 @@ namespace CKM { typedef boost::optional<PermissionMask> PermissionMaskOptional; -struct PermissionForLabel { - Label accessorLabel; // who is accessing the item - PermissionMask permissionMask; - PermissionForLabel(const Label &accessor, const PermissionMaskOptional mask) - { - accessorLabel = accessor; +PermissionMask toPermissionMask(const PermissionMaskOptional& mask); - if (mask) - permissionMask = *mask; - else - permissionMask = Permission::NONE; - } - - int operator&(const Permission &bit) const - { - return permissionMask & bit; - } -}; } // namespace CKM diff --git a/tests/DBFixture.cpp b/tests/DBFixture.cpp index f08846be..a7e42fe6 100644 --- a/tests/DBFixture.cpp +++ b/tests/DBFixture.cpp @@ -89,15 +89,15 @@ void DBFixture::generate_name(unsigned int id, Name &output) output = ss.str(); } -void DBFixture::generate_label(unsigned int id, Label &output) +void DBFixture::generate_owner(unsigned int id, ClientId &output) { std::stringstream ss; - ss << "label_no_" << id; + ss << "owner_no_" << id; output = ss.str(); } void DBFixture::generate_perf_DB(unsigned int num_name, - unsigned int num_elements) + unsigned int names_per_owner) { // to speed up data creation - cache the row DB::Row rowPattern = create_default_row(DataType::BINARY_DATA); @@ -107,32 +107,32 @@ void DBFixture::generate_perf_DB(unsigned int num_name, for (unsigned int i = 0; i < num_name; i++) { generate_name(i, rowPattern.name); - generate_label(i / num_elements, rowPattern.ownerLabel); + generate_owner(i / names_per_owner, rowPattern.owner); BOOST_REQUIRE_NO_THROW(m_db.saveRow(rowPattern)); } } long DBFixture::add_full_access_rights(unsigned int num_name, - unsigned int num_name_per_label) + unsigned int num_name_per_owner) { long iterations = 0; - unsigned int num_labels = num_name / num_name_per_label; + unsigned int num_owners = num_name / num_name_per_owner; Name name; - Label owner_label, accessor_label; + ClientId owner, accessor; for (unsigned int a = 0; a < num_name; a++) { generate_name(a, name); - generate_label(a / num_name_per_label, owner_label); + generate_owner(a / num_name_per_owner, owner); - for (unsigned int l = 0; l < num_labels; l++) { - // bypass the owner label - if (l == (a / num_name_per_label)) + for (unsigned int l = 0; l < num_owners; l++) { + // bypass the owner + if (l == (a / num_name_per_owner)) continue; // add permission - generate_label(l, accessor_label); - add_permission(name, owner_label, accessor_label); + generate_owner(l, accessor); + add_permission(name, owner, accessor); iterations++; } } @@ -142,16 +142,16 @@ long DBFixture::add_full_access_rights(unsigned int num_name, DB::Row DBFixture::create_default_row(DataType type) { - return create_default_row(m_default_name, m_default_label, type); + return create_default_row(m_default_name, m_default_owner, type); } DB::Row DBFixture::create_default_row(const Name &name, - const Label &label, + const ClientId &owner, DataType type) { DB::Row row; row.name = name; - row.ownerLabel = label; + row.owner = owner; row.exportable = 1; row.algorithmType = DBCMAlgType::AES_GCM_256; row.dataType = type; @@ -169,9 +169,9 @@ void DBFixture::compare_row(const DB::Row &lhs, const DB::Row &rhs) "namees didn't match! Got: " << rhs.name << " , expected : " << lhs.name); - BOOST_CHECK_MESSAGE(lhs.ownerLabel == rhs.ownerLabel, - "smackLabel didn't match! Got: " << rhs.ownerLabel - << " , expected : " << lhs.ownerLabel); + BOOST_CHECK_MESSAGE(lhs.owner == rhs.owner, + "owner didn't match! Got: " << rhs.owner + << " , expected : " << lhs.owner); BOOST_CHECK_MESSAGE(lhs.exportable == rhs.exportable, "exportable didn't match! Got: " << rhs.exportable @@ -195,7 +195,7 @@ void DBFixture::check_DB_integrity(const DB::Row &rowPattern) BOOST_REQUIRE_NO_THROW(m_db.saveRow(rowPattern)); DB::Crypto::RowOptional optional_row; - BOOST_REQUIRE_NO_THROW(optional_row = m_db.getRow("name", "label", + BOOST_REQUIRE_NO_THROW(optional_row = m_db.getRow("name", "owner", DataType::BINARY_DATA)); BOOST_REQUIRE_MESSAGE(optional_row, "Select didn't return any row"); @@ -205,11 +205,11 @@ void DBFixture::check_DB_integrity(const DB::Row &rowPattern) name_duplicate.dataSize = name_duplicate.data.size(); unsigned int erased; - BOOST_REQUIRE_NO_THROW(erased = m_db.deleteRow("name", "label")); + BOOST_REQUIRE_NO_THROW(erased = m_db.deleteRow("name", "owner")); BOOST_REQUIRE_MESSAGE(erased > 0, "Inserted row didn't exist in db"); DB::Crypto::RowOptional row_optional; - BOOST_REQUIRE_NO_THROW(row_optional = m_db.getRow("name", "label", + BOOST_REQUIRE_NO_THROW(row_optional = m_db.getRow("name", "owner", DataType::BINARY_DATA)); BOOST_REQUIRE_MESSAGE(!row_optional, "Select should not return row after deletion"); @@ -217,12 +217,12 @@ void DBFixture::check_DB_integrity(const DB::Row &rowPattern) void DBFixture::insert_row() { - insert_row(m_default_name, m_default_label); + insert_row(m_default_name, m_default_owner); } -void DBFixture::insert_row(const Name &name, const Label &owner_label) +void DBFixture::insert_row(const Name &name, const ClientId &owner) { - DB::Row rowPattern = create_default_row(name, owner_label, + DB::Row rowPattern = create_default_row(name, owner, DataType::BINARY_DATA); rowPattern.data = RawBuffer(100, 20); rowPattern.dataSize = rowPattern.data.size(); @@ -230,27 +230,27 @@ void DBFixture::insert_row(const Name &name, const Label &owner_label) BOOST_REQUIRE_NO_THROW(m_db.saveRow(rowPattern)); } -void DBFixture::delete_row(const Name &name, const Label &owner_label) +void DBFixture::delete_row(const Name &name, const ClientId &owner) { bool exit_flag; - BOOST_REQUIRE_NO_THROW(exit_flag = m_db.deleteRow(name, owner_label)); + BOOST_REQUIRE_NO_THROW(exit_flag = m_db.deleteRow(name, owner)); BOOST_REQUIRE_MESSAGE(true == exit_flag, "remove name failed: no rows removed"); } -void DBFixture::add_permission(const Name &name, const Label &owner_label, - const Label &accessor_label) +void DBFixture::add_permission(const Name &name, const ClientId &owner, + const ClientId &accessor) { BOOST_REQUIRE_NO_THROW(m_db.setPermission(name, - owner_label, - accessor_label, + owner, + accessor, CKM::Permission::READ | CKM::Permission::REMOVE)); } void DBFixture::read_row_expect_success(const Name &name, - const Label &owner_label) + const ClientId &owner) { DB::Crypto::RowOptional row; - BOOST_REQUIRE_NO_THROW(row = m_db.getRow(name, owner_label, + BOOST_REQUIRE_NO_THROW(row = m_db.getRow(name, owner, DataType::BINARY_DATA)); BOOST_REQUIRE_MESSAGE(row, "row is empty"); BOOST_REQUIRE_MESSAGE(row->name == name, "name is not valid"); diff --git a/tests/DBFixture.h b/tests/DBFixture.h index 62f19a2a..5b40820b 100644 --- a/tests/DBFixture.h +++ b/tests/DBFixture.h @@ -33,15 +33,15 @@ public: DBFixture(const char *db_fname); constexpr static const char *m_default_name = "name"; - constexpr static const char *m_default_label = "label"; + constexpr static const char *m_default_owner = "owner"; // ::::::::::::::::::::::::: helper methods ::::::::::::::::::::::::: static void generate_name(unsigned int id, CKM::Name &output); - static void generate_label(unsigned int id, CKM::Label &output); + static void generate_owner(unsigned int id, CKM::ClientId &output); static CKM::DB::Row create_default_row(CKM::DataType type = CKM::DataType::BINARY_DATA); static CKM::DB::Row create_default_row(const CKM::Name &name, - const CKM::Label &label, + const CKM::ClientId &owner, CKM::DataType type = CKM::DataType::BINARY_DATA); static void compare_row(const CKM::DB::Row &lhs, const CKM::DB::Row &rhs); @@ -50,17 +50,17 @@ public: void performance_stop(long num_operations_performed); // ::::::::::::::::::::::::: DB ::::::::::::::::::::::::: - void generate_perf_DB(unsigned int num_name, unsigned int num_label); + void generate_perf_DB(unsigned int num_name, unsigned int names_per_owner); long add_full_access_rights(unsigned int num_name, - unsigned int num_names_per_label); + unsigned int num_names_per_owner); void check_DB_integrity(const CKM::DB::Row &rowPattern); void insert_row(); - void insert_row(const CKM::Name &name, const CKM::Label &owner_label); - void delete_row(const CKM::Name &name, const CKM::Label &owner_label); - void add_permission(const CKM::Name &name, const CKM::Label &owner_label, - const CKM::Label &accessor_label); + void insert_row(const CKM::Name &name, const CKM::ClientId &owner); + void delete_row(const CKM::Name &name, const CKM::ClientId &owner); + void add_permission(const CKM::Name &name, const CKM::ClientId &owner, + const CKM::ClientId &accessor); void read_row_expect_success(const CKM::Name &name, - const CKM::Label &owner_label); + const CKM::ClientId &owner); CKM::DB::Crypto m_db; diff --git a/tests/encryption-scheme/scheme-test.cpp b/tests/encryption-scheme/scheme-test.cpp index d0096ace..73cca051 100644 --- a/tests/encryption-scheme/scheme-test.cpp +++ b/tests/encryption-scheme/scheme-test.cpp @@ -53,7 +53,7 @@ const uid_t UID = 7654; const gid_t GID = 7654; const char *const DBPASS = "db-pass"; const char *const LABEL = "my-label"; -const Label DB_LABEL = "/" + string(LABEL); +const ClientId OWNER = "/" + string(LABEL); const int ENC_SCHEME_OFFSET = 24; const string TEST_DATA_STR = "test-data"; RawBuffer TEST_DATA(TEST_DATA_STR.begin(), TEST_DATA_STR.end()); @@ -743,7 +743,7 @@ size_t SchemeTest::CountObjects() for (const auto &i : g.items) { DB::RowVector rows; // it is assumed that aliases are different - m_db->getRows(i.alias, DB_LABEL, DataType::DB_FIRST, DataType::DB_LAST, rows); + m_db->getRows(i.alias, OWNER, DataType::DB_FIRST, DataType::DB_LAST, rows); ret += rows.size(); } } @@ -770,7 +770,7 @@ void SchemeTest::CheckSchemeVersion(const ItemFilter &filter, int version) continue; DB::RowVector rows; - m_db->getRows(i.alias, DB_LABEL, filter.typeFrom, filter.typeTo, rows); + m_db->getRows(i.alias, OWNER, filter.typeFrom, filter.typeTo, rows); BOOST_REQUIRE_MESSAGE(rows.size() > 0, "No rows found for " << i.alias); for (const auto &r : rows) { diff --git a/tests/secure-storage-old-data/README b/tests/secure-storage-old-data/README index a6c9ca0c..60299635 100644 --- a/tests/secure-storage-old-data/README +++ b/tests/secure-storage-old-data/README @@ -27,8 +27,8 @@ All data is saved in both of <storage name> is only used for migratable data re-encryption. -system db with owner label = "/System" and name = "<data name>" -admin user(owner) db with owner label = "/User" and name = "<data name>" +system db with owner = "/System" and name = "<data name>" +admin user(owner) db with owner = "/User" and name = "<data name>" storage name extraction examples) Client with... Case1:: <smack label> = "client.service.label", <data name> = "data", <group id> = "secure-storage::client" diff --git a/tests/test_crypto-logic.cpp b/tests/test_crypto-logic.cpp index 6bb84cd0..57843658 100644 --- a/tests/test_crypto-logic.cpp +++ b/tests/test_crypto-logic.cpp @@ -48,39 +48,39 @@ BOOST_AUTO_TEST_CASE(move_semantics) { CryptoLogic logic; - const std::string label = "test_label"; - BOOST_REQUIRE_NO_THROW(logic.pushKey(label, createRandom(10))); + const ClientId client = "test_client"; + BOOST_REQUIRE_NO_THROW(logic.pushKey(client, createRandom(10))); CryptoLogic moved(std::move(logic)); - BOOST_REQUIRE(!logic.haveKey(label)); - BOOST_REQUIRE(moved.haveKey(label)); + BOOST_REQUIRE(!logic.haveKey(client)); + BOOST_REQUIRE(moved.haveKey(client)); CryptoLogic moveAssigned = std::move(moved); - BOOST_REQUIRE(!moved.haveKey(label)); - BOOST_REQUIRE(moveAssigned.haveKey(label)); + BOOST_REQUIRE(!moved.haveKey(client)); + BOOST_REQUIRE(moveAssigned.haveKey(client)); moveAssigned = std::move(moveAssigned); - BOOST_REQUIRE(moveAssigned.haveKey(label)); + BOOST_REQUIRE(moveAssigned.haveKey(client)); } BOOST_AUTO_TEST_CASE(push_key) { CryptoLogic logic; - const std::string label = "test_label"; + const ClientId client = "test_client"; BOOST_REQUIRE_THROW(logic.pushKey(std::string(), createRandom(10)), Exc::InternalError); - BOOST_REQUIRE_THROW(logic.pushKey(label, RawBuffer()), + BOOST_REQUIRE_THROW(logic.pushKey(client, RawBuffer()), Exc::InternalError); - BOOST_REQUIRE_NO_THROW(logic.pushKey(label, createRandom(10))); - BOOST_REQUIRE_THROW(logic.pushKey(label, createRandom(10)), + BOOST_REQUIRE_NO_THROW(logic.pushKey(client, createRandom(10))); + BOOST_REQUIRE_THROW(logic.pushKey(client, createRandom(10)), Exc::InternalError); - std::string increasingLabel = "a"; - for (size_t i = 0; i < 20; ++i, increasingLabel.push_back('a')) { - BOOST_REQUIRE_NO_THROW(logic.pushKey(increasingLabel, createRandom(10))); - BOOST_REQUIRE_THROW(logic.pushKey(increasingLabel, createRandom(10)), + ClientId increasingOwner = "a"; + for (size_t i = 0; i < 20; ++i, increasingOwner.push_back('a')) { + BOOST_REQUIRE_NO_THROW(logic.pushKey(increasingOwner, createRandom(10))); + BOOST_REQUIRE_THROW(logic.pushKey(increasingOwner, createRandom(10)), Exc::InternalError); } } @@ -94,15 +94,15 @@ BOOST_AUTO_TEST_CASE(row_encryption) Token token = store.import(data, policy.password); Name name = "test_data"; - Label label = "test_owner"; - DB::Row row(token, name, label, static_cast<int>(policy.extractable)); + ClientId owner = "test_owner"; + DB::Row row(token, name, owner, static_cast<int>(policy.extractable)); CryptoLogic logic; BOOST_REQUIRE_THROW(logic.encryptRow(row), Exc::InternalError); auto key = createRandom(32); - BOOST_REQUIRE_NO_THROW(logic.pushKey(label, key)); + BOOST_REQUIRE_NO_THROW(logic.pushKey(owner, key)); BOOST_REQUIRE_NO_THROW(logic.encryptRow(row)); BOOST_REQUIRE_NO_THROW(logic.decryptRow(policy.password, row)); } @@ -116,22 +116,22 @@ BOOST_AUTO_TEST_CASE(row_encryption_negatives) Token token = store.import(data, policy.password); Name name = "test_data"; - Label label = "test_owner"; - DB::Row row(token, name, label, static_cast<int>(policy.extractable)); + ClientId owner = "test_owner"; + DB::Row row(token, name, owner, static_cast<int>(policy.extractable)); CryptoLogic logic; auto key = createRandom(32); - BOOST_REQUIRE_NO_THROW(logic.pushKey(label, key)); + BOOST_REQUIRE_NO_THROW(logic.pushKey(owner, key)); BOOST_REQUIRE_NO_THROW(logic.encryptRow(row)); BOOST_REQUIRE_THROW(logic.decryptRow(createRandomPass(10), row), Exc::AuthenticationFailed); - BOOST_REQUIRE_NO_THROW(logic.removeKey(label)); + BOOST_REQUIRE_NO_THROW(logic.removeKey(owner)); BOOST_REQUIRE_THROW(logic.decryptRow(Password(), row), Exc::AuthenticationFailed); - BOOST_REQUIRE_NO_THROW(logic.pushKey(label, key)); + BOOST_REQUIRE_NO_THROW(logic.pushKey(owner, key)); row.algorithmType = DBCMAlgType::NONE; BOOST_REQUIRE_THROW(logic.decryptRow(Password(), row), diff --git a/tests/test_db_crypto.cpp b/tests/test_db_crypto.cpp index e9f471bf..7d6c698a 100644 --- a/tests/test_db_crypto.cpp +++ b/tests/test_db_crypto.cpp @@ -39,7 +39,7 @@ const int restricted_global = 0; const unsigned int c_test_retries = 1000; const unsigned int c_num_names = 500; const unsigned int c_num_names_add_test = 5000; -const unsigned int c_names_per_label = 15; +const unsigned int c_names_per_owner = 15; } // namespace anonymous @@ -72,7 +72,7 @@ BOOST_AUTO_TEST_CASE(DBtestGlobal) BOOST_REQUIRE_NO_THROW(m_db.saveRow(rowPattern)); DB::Row name_duplicate = rowPattern; - rowPattern.ownerLabel = rowPattern.ownerLabel + "1"; + rowPattern.owner = rowPattern.owner + "1"; } BOOST_AUTO_TEST_CASE(DBtestTransaction) { @@ -87,7 +87,7 @@ BOOST_AUTO_TEST_CASE(DBtestTransaction) DB::Crypto::RowOptional row_optional; BOOST_REQUIRE_NO_THROW(row_optional = m_db.getRow(m_default_name, - m_default_label, + m_default_owner, DataType::BINARY_DATA)); BOOST_CHECK_MESSAGE(!row_optional, "Row still present after rollback"); } @@ -121,7 +121,7 @@ BOOST_AUTO_TEST_CASE(DBperfAddNames) performance_start("saveRow"); { - generate_perf_DB(c_num_names_add_test, c_names_per_label); + generate_perf_DB(c_num_names_add_test, c_names_per_owner); } performance_stop(c_num_names_add_test); @@ -130,40 +130,41 @@ BOOST_AUTO_TEST_CASE(DBperfAddNames) BOOST_AUTO_TEST_CASE(DBperfLookupAliasByOwner) { // prepare data - generate_perf_DB(c_num_names, c_names_per_label); + generate_perf_DB(c_num_names, c_names_per_owner); - unsigned int num_labels = c_num_names / c_names_per_label; + unsigned int num_owners = c_num_names / c_names_per_owner; Name name; - Label label; + ClientId owner; // actual test - successful lookup performance_start("getRow"); for (unsigned int t = 0; t < c_test_retries; t++) { - int label_num = rand_r(&t) % num_labels; - generate_label(label_num, label); + int owner_num = rand_r(&t) % num_owners; + generate_owner(owner_num, owner); - unsigned int start_name = label_num * c_names_per_label; + unsigned int start_name = owner_num * c_names_per_owner; for (unsigned int name_num = start_name; - name_num < (start_name + c_names_per_label); name_num++) { + name_num < (start_name + c_names_per_owner); name_num++) { generate_name(name_num, name); - read_row_expect_success(name, label); + read_row_expect_success(name, owner); } } performance_stop(c_test_retries * c_num_names); } +// TODO this test makes no sense. Rewrite it. BOOST_AUTO_TEST_CASE(DBperfLookupAliasRandomOwnershipNoPermissions) { // prepare data - generate_perf_DB(c_num_names, c_names_per_label); + generate_perf_DB(c_num_names, c_names_per_owner); Name name; - Label owner_label; - Label smack_label; - unsigned int num_labels = c_num_names / c_names_per_label; + ClientId owner; + //ClientId smack_label; + //unsigned int num_owners = c_num_names / c_names_per_owner; // actual test - random lookup performance_start("getRow"); @@ -171,11 +172,11 @@ BOOST_AUTO_TEST_CASE(DBperfLookupAliasRandomOwnershipNoPermissions) for (unsigned int t = 0; t < c_test_retries; t++) { int name_idx = rand_r(&t) % c_num_names; generate_name(name_idx, name); - generate_label(name_idx / c_names_per_label, owner_label); - generate_label(rand_r(&t) % num_labels, smack_label); + generate_owner(name_idx / c_names_per_owner, owner); + //generate_owner(rand_r(&t) % num_owners, smack_label); // do not care of result - m_db.getRow(name, owner_label, DataType::BINARY_DATA); + m_db.getRow(name, owner, DataType::BINARY_DATA); } performance_stop(c_test_retries * c_num_names); @@ -184,41 +185,41 @@ BOOST_AUTO_TEST_CASE(DBperfLookupAliasRandomOwnershipNoPermissions) BOOST_AUTO_TEST_CASE(DBperfAddPermissions) { // prepare data - generate_perf_DB(c_num_names, c_names_per_label); + generate_perf_DB(c_num_names, c_names_per_owner); // actual test - add access rights performance_start("setPermission"); - long iterations = add_full_access_rights(c_num_names, c_names_per_label); + long iterations = add_full_access_rights(c_num_names, c_names_per_owner); performance_stop(iterations); } BOOST_AUTO_TEST_CASE(DBperfAliasRemoval) { // prepare data - generate_perf_DB(c_num_names, c_names_per_label); - add_full_access_rights(c_num_names, c_names_per_label); + generate_perf_DB(c_num_names, c_names_per_owner); + add_full_access_rights(c_num_names, c_names_per_owner); // actual test - random lookup performance_start("deleteRow"); Name name; - Label label; + ClientId owner; for (unsigned int t = 0; t < c_num_names; t++) { generate_name(t, name); - generate_label(t / c_names_per_label, label); + generate_owner(t / c_names_per_owner, owner); - BOOST_REQUIRE_NO_THROW(m_db.deleteRow(name, label)); + BOOST_REQUIRE_NO_THROW(m_db.deleteRow(name, owner)); } performance_stop(c_num_names); // verify everything has been removed - unsigned int num_labels = c_num_names / c_names_per_label; + unsigned int num_owners = c_num_names / c_names_per_owner; - for (unsigned int l = 0; l < num_labels; l++) { - generate_label(l, label); - LabelNameVector expect_no_data; - BOOST_REQUIRE_NO_THROW(m_db.listNames(label, expect_no_data, + for (unsigned int l = 0; l < num_owners; l++) { + generate_owner(l, owner); + OwnerNameVector expect_no_data; + BOOST_REQUIRE_NO_THROW(m_db.listNames(owner, expect_no_data, DataType::BINARY_DATA)); BOOST_REQUIRE(0 == expect_no_data.size()); } @@ -227,25 +228,25 @@ BOOST_AUTO_TEST_CASE(DBperfAliasRemoval) BOOST_AUTO_TEST_CASE(DBperfGetAliasList) { // prepare data - generate_perf_DB(c_num_names, c_names_per_label); - add_full_access_rights(c_num_names, c_names_per_label); + generate_perf_DB(c_num_names, c_names_per_owner); + add_full_access_rights(c_num_names, c_names_per_owner); - unsigned int num_labels = c_num_names / c_names_per_label; - Label label; + unsigned int num_owners = c_num_names / c_names_per_owner; + ClientId owner; // actual test - random lookup performance_start("listNames"); - for (unsigned int t = 0; t < (c_test_retries / num_labels); t++) { - LabelNameVector ret_list; - generate_label(rand_r(&t) % num_labels, label); + for (unsigned int t = 0; t < (c_test_retries / num_owners); t++) { + OwnerNameVector ret_list; + generate_owner(rand_r(&t) % num_owners, owner); - BOOST_REQUIRE_NO_THROW(m_db.listNames(label, ret_list, DataType::BINARY_DATA)); + BOOST_REQUIRE_NO_THROW(m_db.listNames(owner, ret_list, DataType::BINARY_DATA)); BOOST_REQUIRE(c_num_names == ret_list.size()); ret_list.clear(); } - performance_stop(c_test_retries / num_labels); + performance_stop(c_test_retries / num_owners); } BOOST_AUTO_TEST_SUITE_END() @@ -253,51 +254,52 @@ BOOST_AUTO_TEST_SUITE_END() BOOST_AUTO_TEST_SUITE(DBCRYPTO_MIGRATION_TEST) namespace { const unsigned migration_names = 16107; -const unsigned migration_labels = 273; -const unsigned migration_reference_label_idx = 0; +const unsigned migration_owners = 273; +const unsigned migration_reference_owner_idx = 0; const unsigned migration_accessed_element_idx = 7; void verifyDBisValid(DBFixture &fixture) { /** - * there are (migration_labels), each having (migration_names)/(migration_labels) entries. - * reference label (migration_reference_label_idx) exists such that it has access to - * all others' label element with index (migration_accessed_element_idx). + * There are (migration_owners), each having (migration_names)/(migration_owners) + * entries. Reference owner (migration_reference_owner_idx) exists such that + * it has access to all other owners' elements with index + * (migration_accessed_element_idx). * * Example: - * - migration_label_63 has access to all items owned by migration_label_63, - * which gives (migration_names)/(migration_labels) entries. + * - migration_owner_63 has access to all items owned by migration_owner_63, + * which gives (migration_names)/(migration_owners) entries. * - * - migration_label_0 (0 is the reference label) has access to all items - * owned by migration_label_0 and all others' label element index 7, - * which gives (migration_names)/(migration_labels) + (migration_labels-1) entries. + * - migration_owner_0 (0 is the reference owner) has access to all items + * owned by migration_owner_0 and all other owners' elements with index 7, + * which gives (migration_names)/(migration_owners) + (migration_owners-1) entries. * */ - Label reference_label; - fixture.generate_label(migration_reference_label_idx, reference_label); + ClientId reference_owner; + fixture.generate_owner(migration_reference_owner_idx, reference_owner); - // check number of elements accessible to the reference label - LabelNameVector ret_list; - BOOST_REQUIRE_NO_THROW(fixture.m_db.listNames(reference_label, ret_list, + // check number of elements accessible to the reference owner + OwnerNameVector ret_list; + BOOST_REQUIRE_NO_THROW(fixture.m_db.listNames(reference_owner, ret_list, DataType::BINARY_DATA)); - BOOST_REQUIRE((migration_names / migration_labels)/*own items*/ + - (migration_labels - 1)/*other labels'*/ == ret_list.size()); + BOOST_REQUIRE((migration_names / migration_owners)/*own items*/ + + (migration_owners - 1)/*other owners'*/ == ret_list.size()); ret_list.clear(); - // check number of elements accessible to the other labels - for (unsigned int l = 0; l < migration_labels; l++) { - // bypass the reference owner label - if (l == migration_reference_label_idx) + // check number of elements accessible to the other owners + for (unsigned int l = 0; l < migration_owners; l++) { + // bypass the reference owner + if (l == migration_reference_owner_idx) continue; - Label current_label; - fixture.generate_label(l, current_label); - BOOST_REQUIRE_NO_THROW(fixture.m_db.listNames(current_label, ret_list, + ClientId current_owner; + fixture.generate_owner(l, current_owner); + BOOST_REQUIRE_NO_THROW(fixture.m_db.listNames(current_owner, ret_list, DataType::BINARY_DATA)); - BOOST_REQUIRE((migration_names / migration_labels) == ret_list.size()); + BOOST_REQUIRE((migration_names / migration_owners) == ret_list.size()); for (auto it : ret_list) - BOOST_REQUIRE(it.first == current_label); + BOOST_REQUIRE(it.first == current_owner); ret_list.clear(); } @@ -339,27 +341,27 @@ BOOST_AUTO_TEST_CASE(DBMigrationDBCurrent) DBFixture currentDB; // prepare data using current DB mechanism - Label reference_label; - currentDB.generate_label(migration_reference_label_idx, reference_label); + ClientId reference_owner; + currentDB.generate_owner(migration_reference_owner_idx, reference_owner); { - currentDB.generate_perf_DB(migration_names, migration_names / migration_labels); + currentDB.generate_perf_DB(migration_names, migration_names / migration_owners); - // only the reference label has access to the other labels element <migration_accessed_element_idx> - for (unsigned int l = 0; l < migration_labels; l++) { - // bypass the reference owner label - if (l == migration_reference_label_idx) + // only the reference owner has access to the other owners' elements <migration_accessed_element_idx> + for (unsigned int l = 0; l < migration_owners; l++) { + // bypass the reference owner + if (l == migration_reference_owner_idx) continue; unsigned element_index = migration_accessed_element_idx + l * migration_names / - migration_labels; + migration_owners; // add permission Name accessed_name; currentDB.generate_name(element_index, accessed_name); - Label current_label; - currentDB.generate_label(l, current_label); - currentDB.add_permission(accessed_name, current_label, reference_label); + ClientId current_owner; + currentDB.generate_owner(l, current_owner); + currentDB.add_permission(accessed_name, current_owner, reference_owner); } } diff --git a/tests/test_key-provider.cpp b/tests/test_key-provider.cpp index 274080db..abca9890 100644 --- a/tests/test_key-provider.cpp +++ b/tests/test_key-provider.cpp @@ -33,8 +33,8 @@ const CKM::Password NEW_PASSWORD = "NEW12345TIZEN12345NEW"; const std::string USERNAME_SHORT = "AB"; const std::string USERNAME_LONG = "SOFTWARE_CENTER_SYSTEM_SW_LAB_SECURITY_PART"; -const std::string SMACK_LABEL_1 = "SAMPLE_SMACK_LABEL_1"; -const std::string SMACK_LABEL_2 = "SAMPLE_SMACK_LABEL_2"; +const std::string CLIENT_ID_1 = "SAMPLE_CLIENT_ID_1"; +const std::string CLIENT_ID_2 = "SAMPLE_CLIENT_ID_2"; extern bool isLibInitialized; @@ -106,7 +106,7 @@ BOOST_AUTO_TEST_CASE(KeyGenerateDEK) BOOST_REQUIRE_NO_THROW(keyProvider = CKM::KeyProvider(rb_test, PASSWORD)); BOOST_REQUIRE_MESSAGE(keyProvider.isInitialized(), "KeyProvider created, but uninitialized"); - BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(SMACK_LABEL_1)); + BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(CLIENT_ID_1)); } BOOST_AUTO_TEST_CASE(KeyGetPureDEK) @@ -122,7 +122,7 @@ BOOST_AUTO_TEST_CASE(KeyGetPureDEK) BOOST_REQUIRE_NO_THROW(keyProvider = CKM::KeyProvider(rb_test, PASSWORD)); BOOST_REQUIRE_MESSAGE(keyProvider.isInitialized(), "KeyProvider created, but uninitialized"); - BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(SMACK_LABEL_1)); + BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(CLIENT_ID_1)); BOOST_REQUIRE_NO_THROW(rb_pureDEK1 = keyProvider.getPureDEK(rb_DEK1)); } @@ -159,7 +159,7 @@ BOOST_AUTO_TEST_CASE(KeyGetPureDEK_after_reencrypt) BOOST_REQUIRE_NO_THROW(rb_test = CKM::KeyProvider::generateDomainKEK(USERNAME_LONG, PASSWORD)); BOOST_REQUIRE_NO_THROW(keyProvider = CKM::KeyProvider(rb_test, PASSWORD)); - BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(SMACK_LABEL_1)); + BOOST_REQUIRE_NO_THROW(rb_DEK1 = keyProvider.generateDEK(CLIENT_ID_1)); BOOST_REQUIRE_NO_THROW(keyProvider.getPureDEK(rb_DEK1)); } @@ -169,7 +169,7 @@ BOOST_AUTO_TEST_CASE(wrapped_container) auto salt = createRandom(20); BOOST_REQUIRE_NO_THROW(wrappedContainer.setKeyInfoSalt(salt.data(), salt.size())); - BOOST_REQUIRE_NO_THROW(wrappedContainer.setKeyInfoLabel("key_info_label")); + BOOST_REQUIRE_NO_THROW(wrappedContainer.setKeyInfoClient("key_info_client")); CKM::WrappedKeyAndInfoContainer wrappedContainer2; BOOST_REQUIRE_NO_THROW( @@ -183,9 +183,9 @@ BOOST_AUTO_TEST_CASE(wrapped_container) wrappedContainer2.getWrappedKeyAndInfo().keyInfo.salt, sizeof(wrappedContainer.getWrappedKeyAndInfo().keyInfo.salt)) == 0); BOOST_REQUIRE(memcmp( - wrappedContainer.getWrappedKeyAndInfo().keyInfo.label, - wrappedContainer2.getWrappedKeyAndInfo().keyInfo.label, - sizeof(wrappedContainer.getWrappedKeyAndInfo().keyInfo.label)) == 0); + wrappedContainer.getWrappedKeyAndInfo().keyInfo.client, + wrappedContainer2.getWrappedKeyAndInfo().keyInfo.client, + sizeof(wrappedContainer.getWrappedKeyAndInfo().keyInfo.client)) == 0); } BOOST_AUTO_TEST_CASE(container) diff --git a/tools/ckm_db_tool/CMakeLists.txt b/tools/ckm_db_tool/CMakeLists.txt index 4a47a1dc..be82e819 100644 --- a/tools/ckm_db_tool/CMakeLists.txt +++ b/tools/ckm_db_tool/CMakeLists.txt @@ -77,6 +77,7 @@ SET(CKM_DB_TOOLS_SOURCES ${KEY_MANAGER_PATH}/service/key-provider.cpp ${KEY_MANAGER_PATH}/service/ss-migrate.cpp ${KEY_MANAGER_PATH}/service/ss-crypto.cpp + ${KEY_MANAGER_PATH}/service/permission.cpp ${KEY_MANAGER_PATH}/sqlcipher/sqlcipher.c ) |