summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKrzysztof Jackiewicz <k.jackiewicz@samsung.com>2017-11-22 11:37:53 +0100
committerKrzysztof Jackiewicz <k.jackiewicz@samsung.com>2017-11-22 11:37:53 +0100
commit9682ce95dd4a079511c225be2839d93af4ecdc69 (patch)
tree84d4ae4b827525da57324ad0fa9fe6bccf6e8cad
parent40b139332568707e7f2009c997cc21a0f29ac326 (diff)
parent3874f0f942a1a22ce0ceb8e1799133f085536c27 (diff)
downloadkey-manager-9682ce95dd4a079511c225be2839d93af4ecdc69.tar.gz
key-manager-9682ce95dd4a079511c225be2839d93af4ecdc69.tar.bz2
key-manager-9682ce95dd4a079511c225be2839d93af4ecdc69.zip
Change-Id: I0e30db44df252ac6a5629542dfd9cea022a04971
-rw-r--r--src/manager/client-async/client-manager-async-impl.cpp4
-rw-r--r--src/manager/client-async/client-manager-async-impl.h20
-rw-r--r--src/manager/client-async/client-manager-async.cpp42
-rw-r--r--src/manager/client-async/descriptor-set.cpp3
-rw-r--r--src/manager/client-capi/ckmc-manager.cpp73
-rw-r--r--src/manager/client/client-common.cpp3
-rw-r--r--src/manager/client/client-manager-impl.cpp14
-rw-r--r--src/manager/common/exception.h4
-rw-r--r--src/manager/common/protocols.cpp13
-rw-r--r--src/manager/dpl/log/src/dlog_log_provider.cpp10
-rw-r--r--src/manager/main/thread-service.cpp7
-rw-r--r--src/manager/service/ckm-logic.cpp20
-rw-r--r--src/manager/service/db-row.h7
-rw-r--r--src/manager/service/encryption-service.cpp1
-rw-r--r--src/manager/service/key-provider.cpp30
-rw-r--r--src/manager/service/ocsp.cpp62
16 files changed, 188 insertions, 125 deletions
diff --git a/src/manager/client-async/client-manager-async-impl.cpp b/src/manager/client-async/client-manager-async-impl.cpp
index 96454cbd..3837771e 100644
--- a/src/manager/client-async/client-manager-async-impl.cpp
+++ b/src/manager/client-async/client-manager-async-impl.cpp
@@ -42,7 +42,7 @@ void ManagerAsync::Impl::saveKey(const ObserverPtr &observer,
{
observerCheck(observer);
- if (alias.empty() || !key) {
+ if (alias.empty() || !key || key->empty()) {
observer->ReceivedError(CKM_API_ERROR_INPUT_PARAM);
return;
}
@@ -62,7 +62,7 @@ void ManagerAsync::Impl::saveCertificate(const ObserverPtr &observer,
{
observerCheck(observer);
- if (alias.empty() || !cert) {
+ if (alias.empty() || !cert || cert->empty()) {
observer->ReceivedError(CKM_API_ERROR_INPUT_PARAM);
return;
}
diff --git a/src/manager/client-async/client-manager-async-impl.h b/src/manager/client-async/client-manager-async-impl.h
index c0cfaab5..65f4970a 100644
--- a/src/manager/client-async/client-manager-async-impl.h
+++ b/src/manager/client-async/client-manager-async-impl.h
@@ -135,19 +135,11 @@ public:
const T &trusted,
bool useSystemTrustedCertificates)
{
- observerCheck(observer);
+ if (!certificate || certificate->empty())
+ ThrowMsg(Exc::InputParam, "Empty certificate");
- if (!certificate) {
- observer->ReceivedError(CKM_API_ERROR_INPUT_PARAM);
- return;
- }
-
- try_catch_async([&]() {
- sendToStorage(observer, static_cast<int>(command), m_counter,
- certificate->getDER(), untrusted, trusted, useSystemTrustedCertificates);
- }, [&observer](int error) {
- observer->ReceivedError(error);
- });
+ sendToStorage(observer, static_cast<int>(command), m_counter,
+ certificate->getDER(), untrusted, trusted, useSystemTrustedCertificates);
}
void crypt(
@@ -158,6 +150,8 @@ public:
const RawBuffer &input,
bool encryption);
+ static void observerCheck(const ManagerAsync::ObserverPtr &observer);
+
private:
template <typename... Args>
void sendToStorage(const ManagerAsync::ObserverPtr &observer,
@@ -172,8 +166,6 @@ private:
m_counter));
}
- void observerCheck(const ManagerAsync::ObserverPtr &observer);
-
typedef std::unique_ptr<ConnectionThread> ConnectionThreadPtr;
ConnectionThreadPtr &thread()
diff --git a/src/manager/client-async/client-manager-async.cpp b/src/manager/client-async/client-manager-async.cpp
index 7ef0696a..471c8483 100644
--- a/src/manager/client-async/client-manager-async.cpp
+++ b/src/manager/client-async/client-manager-async.cpp
@@ -21,6 +21,7 @@
#include <ckm/ckm-manager-async.h>
#include <client-manager-async-impl.h>
+#include <exception.h>
namespace CKM {
@@ -29,8 +30,11 @@ RawBufferVector toRawBufferVector(const CertificateShPtrVector &certificates)
{
RawBufferVector rawBufferVector;
- for (auto &e : certificates)
+ for (auto &e : certificates) {
+ if (!e || e->empty())
+ ThrowMsg(Exc::InputParam, "Empty certificate");
rawBufferVector.push_back(e->getDER());
+ }
return rawBufferVector;
}
@@ -205,12 +209,18 @@ void ManagerAsync::getCertificateChain(const ObserverPtr &observer,
const CertificateShPtrVector &trustedCertificates,
bool useSystemTrustedCertificates)
{
- m_impl->getCertChain(observer,
- LogicCommand::GET_CHAIN_CERT,
- certificate,
- toRawBufferVector(untrustedCertificates),
- toRawBufferVector(trustedCertificates),
- useSystemTrustedCertificates);
+ Impl::observerCheck(observer);
+
+ try_catch_async([&]() {
+ m_impl->getCertChain(observer,
+ LogicCommand::GET_CHAIN_CERT,
+ certificate,
+ toRawBufferVector(untrustedCertificates),
+ toRawBufferVector(trustedCertificates),
+ useSystemTrustedCertificates);
+ }, [&observer](int error) {
+ observer->ReceivedError(error);
+ });
}
void ManagerAsync::getCertificateChain(const ObserverPtr &observer,
@@ -219,12 +229,18 @@ void ManagerAsync::getCertificateChain(const ObserverPtr &observer,
const AliasVector &trustedCertificates,
bool useSystemTrustedCertificates)
{
- m_impl->getCertChain(observer,
- LogicCommand::GET_CHAIN_ALIAS,
- certificate,
- toLabelNameVector(untrustedCertificates),
- toLabelNameVector(trustedCertificates),
- useSystemTrustedCertificates);
+ Impl::observerCheck(observer);
+
+ try_catch_async([&]() {
+ m_impl->getCertChain(observer,
+ LogicCommand::GET_CHAIN_ALIAS,
+ certificate,
+ toLabelNameVector(untrustedCertificates),
+ toLabelNameVector(trustedCertificates),
+ useSystemTrustedCertificates);
+ }, [&observer](int error) {
+ observer->ReceivedError(error);
+ });
}
void ManagerAsync::createSignature(const ObserverPtr &observer,
diff --git a/src/manager/client-async/descriptor-set.cpp b/src/manager/client-async/descriptor-set.cpp
index 83442b2f..fdee29db 100644
--- a/src/manager/client-async/descriptor-set.cpp
+++ b/src/manager/client-async/descriptor-set.cpp
@@ -34,6 +34,8 @@ DescriptorSet::DescriptorSet() : m_dirty(true), m_fds(NULL)
DescriptorSet::~DescriptorSet()
{
purge();
+
+ delete[] m_fds;
}
void DescriptorSet::purge()
@@ -42,6 +44,7 @@ void DescriptorSet::purge()
close(it.first);
m_descriptors.clear();
+ m_dirty = true;
}
void DescriptorSet::add(int fd, short events, Callback &&callback)
diff --git a/src/manager/client-capi/ckmc-manager.cpp b/src/manager/client-capi/ckmc-manager.cpp
index 2aa3c48b..37dd14fc 100644
--- a/src/manager/client-capi/ckmc-manager.cpp
+++ b/src/manager/client-capi/ckmc-manager.cpp
@@ -45,22 +45,34 @@ inline CKM::Policy _toCkmPolicy(const ckmc_policy_s &policy)
return CKM::Policy(_tostring(policy.password), policy.extractable);
}
-inline CKM::KeyShPtr _toCkmKey(const ckmc_key_s *key)
+CKM::KeyShPtr _toCkmKey(const ckmc_key_s *key)
{
- return (key == nullptr) ?
- CKM::KeyShPtr() :
- CKM::Key::create(
+ if (key == nullptr)
+ return CKM::KeyShPtr();
+
+ auto ckmKey = CKM::Key::create(
CKM::RawBuffer(key->raw_key, key->raw_key + key->key_size),
_tostring(key->password));
+
+ if (!ckmKey || ckmKey->empty())
+ ThrowMsg(CKM::Exc::InvalidFormat, "Key parsing failed");
+
+ return ckmKey;
}
-inline CKM::CertificateShPtr _toCkmCertificate(const ckmc_cert_s *cert)
+CKM::CertificateShPtr _toCkmCertificate(const ckmc_cert_s *cert)
{
- return (cert == nullptr) ?
- CKM::CertificateShPtr() :
- CKM::Certificate::create(
+ if (cert == nullptr)
+ return CKM::CertificateShPtr();
+
+ auto ckmCert = CKM::Certificate::create(
CKM::RawBuffer(cert->raw_cert, cert->raw_cert + cert->cert_size),
static_cast<CKM::DataFormat>(static_cast<int>(cert->data_format)));
+
+ if (!ckmCert || ckmCert->empty())
+ ThrowMsg(CKM::Exc::InvalidFormat, "Certificate parsing failed");
+
+ return ckmCert;
}
CKM::CertificateShPtrVector _toCkmCertificateVector(const ckmc_cert_list_s
@@ -101,6 +113,9 @@ ckmc_cert_list_s *_toNewCkmCertList(const CKM::CertificateShPtrVector
ckmc_cert_list_s *plist = nullptr;
for (const auto &e : certVector) {
+ if (!e || e->empty())
+ ThrowMsg(CKM::Exc::BadResponse, "Empty certificate received from server");
+
auto rawBuffer = e->getDER();
ckmc_cert_s *pcert = nullptr;
int ret = ckmc_cert_new(rawBuffer.data(), rawBuffer.size(), CKMC_FORM_DER,
@@ -223,6 +238,9 @@ int ckmc_get_key(const char *alias, const char *password, ckmc_key_s **key)
if ((ret = mgr->getKey(alias, _tostring(password), ckmKey)) != CKM_API_SUCCESS)
return to_ckmc_error(ret);
+ if (!ckmKey || ckmKey->empty())
+ return CKMC_ERROR_BAD_RESPONSE;
+
auto buffer = ckmKey->getDER();
return ckmc_key_new(
buffer.data(),
@@ -287,13 +305,9 @@ int ckmc_save_cert(const char *alias, const ckmc_cert_s cert,
if (alias == nullptr || cert.raw_cert == nullptr || cert.cert_size == 0)
return CKMC_ERROR_INVALID_PARAMETER;
- auto ckmCert = _toCkmCertificate(&cert);
-
- if (!ckmCert)
- return CKMC_ERROR_INVALID_FORMAT;
-
auto mgr = CKM::Manager::create();
- return to_ckmc_error(mgr->saveCertificate(CKM::Alias(alias), ckmCert,
+ return to_ckmc_error(mgr->saveCertificate(CKM::Alias(alias),
+ _toCkmCertificate(&cert),
_toCkmPolicy(policy)));
EXCEPTION_GUARD_END
@@ -324,6 +338,9 @@ int ckmc_get_cert(const char *alias, const char *password, ckmc_cert_s **cert)
ckmCert)) != CKM_API_SUCCESS)
return to_ckmc_error(ret);
+ if (!ckmCert || ckmCert->empty())
+ return CKMC_ERROR_BAD_RESPONSE;
+
auto buffer = ckmCert->getDER();
return ckmc_cert_new(buffer.data(), buffer.size(), CKMC_FORM_DER, cert);
@@ -424,6 +441,9 @@ int ckmc_get_pkcs12(const char *alias, const char *key_password,
auto pkcsKey = pkcs->getKey();
if (pkcsKey) {
+ if (pkcsKey->empty())
+ return CKMC_ERROR_BAD_RESPONSE;
+
ckmc_key_s *private_key = nullptr;
auto buffer = pkcsKey->getDER();
ckmc_key_type_e keyType = static_cast<ckmc_key_type_e>(pkcsKey->getType());
@@ -439,6 +459,9 @@ int ckmc_get_pkcs12(const char *alias, const char *key_password,
auto pkcsCert = pkcs->getCertificate();
if (pkcsCert) {
+ if (pkcsCert->empty())
+ return CKMC_ERROR_BAD_RESPONSE;
+
ckmc_cert_s *cert = nullptr;
CKM::RawBuffer buffer = pkcsCert->getDER();
ret = ckmc_cert_new(buffer.data(), buffer.size(), CKMC_FORM_DER, &cert);
@@ -716,15 +739,10 @@ int ckmc_get_cert_chain(const ckmc_cert_s *cert,
cert_chain_list == nullptr)
return CKMC_ERROR_INVALID_PARAMETER;
- auto ckmCert = _toCkmCertificate(cert);
-
- if (!ckmCert)
- return CKMC_ERROR_INVALID_FORMAT;
-
CKM::CertificateShPtrVector ckmCertChain;
auto mgr = CKM::Manager::create();
int ret = mgr->getCertificateChain(
- ckmCert,
+ _toCkmCertificate(cert),
_toCkmCertificateVector(untrustedcerts),
EMPTY_CERT_VECTOR,
true,
@@ -750,14 +768,10 @@ int ckmc_get_cert_chain_with_alias(const ckmc_cert_s *cert,
cert_chain_list == nullptr)
return CKMC_ERROR_INVALID_PARAMETER;
- auto ckmCert = _toCkmCertificate(cert);
-
- if (!ckmCert)
- return CKMC_ERROR_INVALID_FORMAT;
-
CKM::CertificateShPtrVector ckmCertChain;
auto mgr = CKM::Manager::create();
- int ret = mgr->getCertificateChain(ckmCert, _toCkmAliasVector(untrustedcerts),
+ int ret = mgr->getCertificateChain(_toCkmCertificate(cert),
+ _toCkmAliasVector(untrustedcerts),
EMPTY_ALIAS_VECTOR, true, ckmCertChain);
if (ret != CKM_API_SUCCESS)
@@ -783,15 +797,10 @@ int ckmc_get_cert_chain_with_trustedcert(const ckmc_cert_s *cert,
ppcert_chain_list == nullptr)
return CKMC_ERROR_INVALID_PARAMETER;
- auto ckmCert = _toCkmCertificate(cert);
-
- if (!ckmCert)
- return CKMC_ERROR_INVALID_PARAMETER;
-
CKM::CertificateShPtrVector ckmCertChain;
auto mgr = CKM::Manager::create();
int ret = mgr->getCertificateChain(
- ckmCert,
+ _toCkmCertificate(cert),
_toCkmCertificateVector(untrustedcerts),
_toCkmCertificateVector(trustedcerts),
sys_certs,
diff --git a/src/manager/client/client-common.cpp b/src/manager/client/client-common.cpp
index 7cb11089..312f3340 100644
--- a/src/manager/client/client-common.cpp
+++ b/src/manager/client/client-common.cpp
@@ -40,6 +40,7 @@
#include <ckm/ckm-error.h>
#include <ckmc/ckmc-type.h>
#include <client-common.h>
+#include <ckmc-type-converter.h>
namespace {
@@ -345,6 +346,8 @@ int try_catch_enclosure(const std::function<int()> &func)
{
try {
return func();
+ } catch (const Exc::Exception &e) {
+ return to_ckmc_error(e.error());
} catch (const std::bad_alloc &e) {
LogError("memory allocation exception: " << e.what());
return CKMC_ERROR_OUT_OF_MEMORY;
diff --git a/src/manager/client/client-manager-impl.cpp b/src/manager/client/client-manager-impl.cpp
index f1b68bb1..fa4f5a9f 100644
--- a/src/manager/client/client-manager-impl.cpp
+++ b/src/manager/client/client-manager-impl.cpp
@@ -143,7 +143,7 @@ int Manager::Impl::saveBinaryData(
int Manager::Impl::saveKey(const Alias &alias, const KeyShPtr &key,
const Policy &policy)
{
- if (key.get() == NULL)
+ if (key.get() == NULL || key->empty())
return CKM_API_ERROR_INPUT_PARAM;
try {
@@ -159,7 +159,7 @@ int Manager::Impl::saveCertificate(
const CertificateShPtr &cert,
const Policy &policy)
{
- if (cert.get() == NULL)
+ if (cert.get() == NULL || cert->empty())
return CKM_API_ERROR_INPUT_PARAM;
return saveBinaryData(alias, DataType::CERTIFICATE, cert->getDER(), policy);
@@ -626,11 +626,17 @@ int Manager::Impl::getCertificateChain(
if (!certificate || certificate->empty())
return CKM_API_ERROR_INPUT_PARAM;
- for (auto &e : untrustedCertificates)
+ for (auto &e : untrustedCertificates) {
+ if (!e || e->empty())
+ return CKM_API_ERROR_INPUT_PARAM;
untrustedVector.push_back(e->getDER());
+ }
- for (auto &e : trustedCertificates)
+ for (auto &e : trustedCertificates) {
+ if (!e || e->empty())
+ return CKM_API_ERROR_INPUT_PARAM;
trustedVector.push_back(e->getDER());
+ }
return getCertChain(
m_storageConnection,
diff --git a/src/manager/common/exception.h b/src/manager/common/exception.h
index 874fbd0f..22188300 100644
--- a/src/manager/common/exception.h
+++ b/src/manager/common/exception.h
@@ -124,6 +124,10 @@ using InputParam =
DefineException<CKM_API_ERROR_INPUT_PARAM, true, PrintDebug>;
using AuthenticationFailed =
DefineException<CKM_API_ERROR_AUTHENTICATION_FAILED, true, PrintDebug>;
+using InvalidFormat =
+ DefineException<CKM_API_ERROR_INVALID_FORMAT, true, PrintDebug>;
+using BadResponse =
+ DefineException<CKM_API_ERROR_BAD_RESPONSE, true, PrintDebug>;
struct TransactionFailed : public DatabaseFailed {
diff --git a/src/manager/common/protocols.cpp b/src/manager/common/protocols.cpp
index a42d75d2..8cf65725 100644
--- a/src/manager/common/protocols.cpp
+++ b/src/manager/common/protocols.cpp
@@ -108,14 +108,15 @@ PKCS12Serializable::PKCS12Serializable(IStream &stream)
for (size_t i = 0; i < numCA; i++) {
RawBuffer CAcertData;
Deserialization::Deserialize(stream, CAcertData);
- m_ca.emplace_back(CKM::Certificate::create(CAcertData, DataFormat::FORM_DER));
-
- if (m_pkey)
+ auto ca = CKM::Certificate::create(CAcertData, DataFormat::FORM_DER);
+ if (ca) {
LogDebug("ca certificate from pkcs deserialized success. cert size: " <<
- CAcertData.size() << " and DER size: " << CKM::Certificate::create(CAcertData,
- DataFormat::FORM_DER)->getDER().size());
- else
+ CAcertData.size() << " and DER size: " << ca->getDER().size());
+
+ m_ca.emplace_back(std::move(ca));
+ } else {
LogError("ca certificate from pkcs deserialized fail");
+ }
}
}
diff --git a/src/manager/dpl/log/src/dlog_log_provider.cpp b/src/manager/dpl/log/src/dlog_log_provider.cpp
index 0f6bb222..8a1325b0 100644
--- a/src/manager/dpl/log/src/dlog_log_provider.cpp
+++ b/src/manager/dpl/log/src/dlog_log_provider.cpp
@@ -36,23 +36,23 @@ typedef void (*dlogMacro)(const char *, const char *);
// I can't map LOG_ values because SLOG uses token concatenation
void error(const char *tag, const char *msg)
{
- SLOG(LOG_ERROR, tag, "%s", msg);
+ print_system_log(DLOG_ERROR, tag, "%s", msg);
}
void warning(const char *tag, const char *msg)
{
- SLOG(LOG_WARN, tag, "%s", msg);
+ print_system_log(DLOG_WARN, tag, "%s", msg);
}
void info(const char *tag, const char *msg)
{
- SLOG(LOG_INFO, tag, "%s", msg);
+ print_system_log(DLOG_INFO, tag, "%s", msg);
}
void debug(const char *tag, const char *msg)
{
- SLOG(LOG_DEBUG, tag, "%s", msg);
+ print_system_log(DLOG_DEBUG, tag, "%s", msg);
}
void pedantic(const char *tag, const char *msg)
{
- SLOG(LOG_VERBOSE, tag, "%s", msg);
+ print_system_log(DLOG_VERBOSE, tag, "%s", msg);
}
std::map<AbstractLogProvider::LogLevel, dlogMacro> dlogMacros = {
// [](const char* tag, const char* msg) { SLOG(LOG_ERROR, tag, "%s", msg); } won't compile
diff --git a/src/manager/main/thread-service.cpp b/src/manager/main/thread-service.cpp
index 9bd49930..ef512892 100644
--- a/src/manager/main/thread-service.cpp
+++ b/src/manager/main/thread-service.cpp
@@ -34,20 +34,17 @@ ThreadService::~ThreadService()
void ThreadService::Handle(const AcceptEvent &event)
{
- LogDebug("Accept event");
auto &info = m_connectionInfoMap[event.connectionID.counter];
info.interfaceID = event.interfaceID;
info.credentials = event.credentials;
}
-void ThreadService::Handle(const WriteEvent &event)
+void ThreadService::Handle(const WriteEvent &)
{
- LogDebug("Write event (" << event.size << " bytes )");
}
void ThreadService::Handle(const ReadEvent &event)
{
- LogDebug("Read event");
auto &info = m_connectionInfoMap[event.connectionID.counter];
info.buffer.Push(event.rawBuffer);
@@ -63,13 +60,11 @@ void ThreadService::Handle(const ReadEvent &event)
void ThreadService::Handle(const CloseEvent &event)
{
- LogDebug("Close event");
m_connectionInfoMap.erase(event.connectionID.counter);
}
void ThreadService::Handle(const SecurityEvent &event)
{
- LogDebug("Security event");
auto it = m_connectionInfoMap.find(event.connectionID.counter);
if (it == m_connectionInfoMap.end()) {
diff --git a/src/manager/service/ckm-logic.cpp b/src/manager/service/ckm-logic.cpp
index 5f134441..2da20703 100644
--- a/src/manager/service/ckm-logic.cpp
+++ b/src/manager/service/ckm-logic.cpp
@@ -487,8 +487,6 @@ int CKMLogic::getKeyForService(
const Password &pass,
Crypto::GObjShPtr &key)
{
- DB::Row row;
-
try {
// Key is for internal service use. It won't be exported to the client
Crypto::GObjUPtr obj;
@@ -946,7 +944,7 @@ RawBuffer CKMLogic::getData(
const Password &password)
{
int retCode = CKM_API_SUCCESS;
- DB::Row row;
+ RawBuffer rowData;
DataType objDataType;
try {
@@ -955,7 +953,7 @@ RawBuffer CKMLogic::getData(
objDataType);
if (retCode == CKM_API_SUCCESS)
- row.data = std::move(obj->getBinary());
+ rowData = obj->getBinary();
} catch (const Exc::Exception &e) {
retCode = e.error();
} catch (const CKM::Exception &e) {
@@ -963,16 +961,14 @@ RawBuffer CKMLogic::getData(
retCode = CKM_API_ERROR_SERVER_ERROR;
}
- if (CKM_API_SUCCESS != retCode) {
- row.data.clear();
- row.dataType = dataType;
- }
+ if (CKM_API_SUCCESS != retCode)
+ rowData.clear();
auto response = MessageBuffer::Serialize(static_cast<int>(LogicCommand::GET),
commandId,
retCode,
static_cast<int>(objDataType),
- row.data);
+ rowData);
return response.Pop();
}
@@ -1470,8 +1466,6 @@ int CKMLogic::readCertificateHelper(
const LabelNameVector &labelNameVector,
CertificateImplVector &certVector)
{
- DB::Row row;
-
for (auto &i : labelNameVector) {
// certificates can't be protected with custom user password
Crypto::GObjUPtr obj;
@@ -1569,7 +1563,6 @@ int CKMLogic::getCertificateChainHelper(
CertificateImplVector untrustedCertVector;
CertificateImplVector trustedCertVector;
CertificateImplVector chainVector;
- DB::Row row;
if (cert.empty())
return CKM_API_ERROR_INPUT_PARAM;
@@ -1681,7 +1674,6 @@ RawBuffer CKMLogic::createSignature(
const RawBuffer &message,
const CryptoAlgorithm &cryptoAlg)
{
- DB::Row row;
RawBuffer signature;
int retCode = CKM_API_SUCCESS;
@@ -1724,8 +1716,6 @@ RawBuffer CKMLogic::verifySignature(
int retCode = CKM_API_ERROR_VERIFICATION_FAILED;
try {
- DB::Row row;
-
// try certificate first - looking for a public key.
// in case of PKCS, pub key from certificate will be found first
// rather than private key from the same PKCS.
diff --git a/src/manager/service/db-row.h b/src/manager/service/db-row.h
index 722e1498..0f171bad 100644
--- a/src/manager/service/db-row.h
+++ b/src/manager/service/db-row.h
@@ -30,7 +30,12 @@ namespace CKM {
namespace DB {
struct Row : public Token {
- Row() = default;
+ Row() :
+ Token(),
+ exportable(0),
+ algorithmType(DBCMAlgType::NONE),
+ encryptionScheme(0),
+ dataSize(0) {}
Row(Token token, const Name &pName, const Label &pLabel, int pExportable) :
Token(std::move(token)),
diff --git a/src/manager/service/encryption-service.cpp b/src/manager/service/encryption-service.cpp
index f9678368..f8868676 100644
--- a/src/manager/service/encryption-service.cpp
+++ b/src/manager/service/encryption-service.cpp
@@ -142,7 +142,6 @@ void EncryptionService::ProcessEncryption(const ConnectionID &conn,
void EncryptionService::CustomHandle(const ReadEvent &event)
{
- LogDebug("Read event");
auto &info = m_connectionInfoMap[event.connectionID.counter];
info.buffer.Push(event.rawBuffer);
diff --git a/src/manager/service/key-provider.cpp b/src/manager/service/key-provider.cpp
index 4ca4f038..60cce238 100644
--- a/src/manager/service/key-provider.cpp
+++ b/src/manager/service/key-provider.cpp
@@ -602,29 +602,13 @@ int KeyProvider::decryptAes256Gcm(const unsigned char *ciphertext,
char *KeyProvider::concat_password_user(const char *user, const char *password)
{
- char *concat_user_pass = NULL;
- char *resized_user = NULL;
- int concat_user_pass_len = 0;
-
- if (strlen(user) > MAX_LABEL_SIZE - 1) {
- resized_user = new char[MAX_LABEL_SIZE];
- memcpy(resized_user, user, MAX_LABEL_SIZE - 1);
- resized_user[MAX_LABEL_SIZE - 1] = '\0';
- } else {
- resized_user = new char[strlen(user) + 1];
- memcpy(resized_user, user, strlen(user));
- resized_user[strlen(user)] = '\0';
- }
-
- concat_user_pass_len = strlen(resized_user) + strlen(password) + 1;
- concat_user_pass = new char[concat_user_pass_len];
+ std::string result(password);
+ result += user;
- memset(concat_user_pass, '\0', concat_user_pass_len);
- memcpy(concat_user_pass, password, strlen(password));
- memcpy(&(concat_user_pass[strlen(password)]), resized_user,
- strlen(resized_user));
- concat_user_pass[strlen(resized_user) + strlen(password)] = '\0';
+ if (strlen(user) > MAX_LABEL_SIZE - 1)
+ result.resize(strlen(password) + MAX_LABEL_SIZE - 1);
- delete[] resized_user;
- return concat_user_pass;
+ char *ret = new char[result.size() + 1];
+ memcpy(ret, result.c_str(), result.size() + 1);
+ return ret;
}
diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp
index dcccf2ac..acbf9d30 100644
--- a/src/manager/service/ocsp.cpp
+++ b/src/manager/service/ocsp.cpp
@@ -37,6 +37,9 @@
/* Maximum leeway in validity period: default 5 minutes */
#define MAX_VALIDITY_PERIOD (5 * 60)
+/* Timeout in seconds for ocsp response */
+#define OCSP_TIMEOUT 30
+
namespace CKM {
namespace {
@@ -151,6 +154,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
std::vector<char> url(constUrl.begin(), constUrl.end());
url.push_back(0);
+ std::string headerHost;
{
char *chost = NULL, *cport = NULL, *cpath = NULL;
@@ -159,7 +163,10 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
/* report error */
return CKM_API_OCSP_STATUS_INVALID_URL;
- if (chost) host = chost;
+ if (chost) {
+ host = chost;
+ headerHost = chost;
+ }
if (cport) port = cport;
if (cpath) path = cpath;
@@ -198,6 +205,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
if (cbio == NULL) {
/*BIO_printf(bio_err, "Error creating connect BIO\n");*/
/* report error */
+ LogError("Connection to ocsp host failed: " << host);
return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
}
@@ -266,7 +274,56 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
}
- resp = OCSP_sendreq_bio(cbio, path.c_str(), req);
+ std::unique_ptr<OCSP_REQ_CTX, decltype(OCSP_REQ_CTX_free)*> ctx(OCSP_sendreq_new(cbio, path.c_str(), NULL, -1), OCSP_REQ_CTX_free);
+ if (!ctx) {
+ LogError("Error creating OCSP_REQ_CTX");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+
+ if (!OCSP_REQ_CTX_add1_header(ctx.get(), "host", headerHost.c_str())) {
+ LogError("Error adding header");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+
+ if (!OCSP_REQ_CTX_set1_req(ctx.get(), req)) {
+ LogError("Error setting ocsp request");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+
+ int fd;
+ if (BIO_get_fd(cbio, &fd) < 0) {
+ LogError("Error extracting fd from bio");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+
+ for (;;) {
+ fd_set confds;
+ int req_timeout = OCSP_TIMEOUT;
+ struct timeval tv;
+ int rv = OCSP_sendreq_nbio(&resp, ctx.get());
+ if (rv != -1)
+ break;
+ FD_ZERO(&confds);
+ FD_SET(fd, &confds);
+ tv.tv_usec = 0;
+ tv.tv_sec = req_timeout;
+ if (BIO_should_read(cbio)) {
+ rv = select(fd + 1, &confds, NULL, NULL, &tv);
+ } else if (BIO_should_write(cbio)) {
+ rv = select(fd + 1, NULL, &confds, NULL, &tv);
+ } else {
+ LogError("Unexpected retry condition\n");
+ return CKM_API_OCSP_STATUS_INTERNAL_ERROR;
+ }
+ if (rv == 0) {
+ LogError("Timeout on request\n");
+ break;
+ }
+ if (rv == -1) {
+ LogError("Select error\n");
+ break;
+ }
+ }
if (use_ssl && use_ssl_ctx)
SSL_CTX_free(use_ssl_ctx);
@@ -370,7 +427,6 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer,
return CKM_API_OCSP_STATUS_INVALID_RESPONSE;
}
-
/* Check validity: if invalid write to output BIO so we
* know which response this refers to.
*/