summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKyungwook Tak <k.tak@samsung.com>2016-11-29 17:23:58 +0900
committerKyungwook Tak <k.tak@samsung.com>2016-11-29 17:24:29 +0900
commita8b74d4ef54ccb432090a6f8d6bb3b16f5582acb (patch)
tree1aca5579ddd727823b738ae1f77df1d7d756ca38
parentf327e9fca40ad1cf62ac18e052f09c65debac72b (diff)
parent0780d62047e7d7472c65c791866e7a5fa9be7863 (diff)
downloadlibwebappenc-a8b74d4ef54ccb432090a6f8d6bb3b16f5582acb.tar.gz
libwebappenc-a8b74d4ef54ccb432090a6f8d6bb3b16f5582acb.tar.bz2
libwebappenc-a8b74d4ef54ccb432090a6f8d6bb3b16f5582acb.zip
Change-Id: I07c54554e9f79f75dcb58435e8b39bfd24f1599d Signed-off-by: Kyungwook Tak <k.tak@samsung.com>
-rw-r--r--CMakeLists.txt1
-rw-r--r--packaging/libwebappenc.manifest.in5
-rw-r--r--packaging/libwebappenc.spec23
-rw-r--r--resources/CMakeLists.txt35
-rw-r--r--scripts/CMakeLists.txt16
-rwxr-xr-xscripts/wae-upgrade.sh.in30
-rw-r--r--srcs/key_handler.c147
-rw-r--r--systemd/CMakeLists.txt24
-rw-r--r--systemd/webappenc-initializer.service.in8
9 files changed, 189 insertions, 100 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 436eb74..96efdbe 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -93,3 +93,4 @@ ADD_SUBDIRECTORY(resources)
ADD_SUBDIRECTORY(include)
ADD_SUBDIRECTORY(tests)
ADD_SUBDIRECTORY(systemd)
+ADD_SUBDIRECTORY(scripts)
diff --git a/packaging/libwebappenc.manifest.in b/packaging/libwebappenc.manifest.in
index 86dbb26..5451c22 100644
--- a/packaging/libwebappenc.manifest.in
+++ b/packaging/libwebappenc.manifest.in
@@ -2,4 +2,9 @@
<request>
<domain name="_" />
</request>
+ <assign>
+ <filesystem path="@RW_SHARE_DIR@/wae" label="@SMACK_DOMAIN@" />
+ <filesystem path="@RW_SHARE_DIR@/wae/app_dek" label="@SMACK_DOMAIN@" />
+ <filesystem path="@RW_SHARE_DIR@/wae/app_dek/*" label="@SMACK_DOMAIN@" />
+ </assign>
</manifest>
diff --git a/packaging/libwebappenc.spec b/packaging/libwebappenc.spec
index 7d796f9..9f8faef 100644
--- a/packaging/libwebappenc.spec
+++ b/packaging/libwebappenc.spec
@@ -37,8 +37,14 @@ Requires: %{name} = %{version}-%{release}
%description test
Web application encryption and decryption service (test)
-%define bin_dir %TZ_SYS_BIN
-%define rw_share_dir %TZ_SYS_SHARE
+%define user_name security_fw
+%define group_name security_fw
+%define smack_domain System
+%define bin_dir %TZ_SYS_BIN
+%define rw_share_dir %TZ_SYS_SHARE
+%define upgrade_dir %TZ_SYS_RO_SHARE/upgrade
+%define upgrade_script_dir %{upgrade_dir}/scripts
+%define upgrade_data_dir %{upgrade_dir}/data
%prep
%setup -q
@@ -52,6 +58,11 @@ Web application encryption and decryption service (test)
-DSYSTEMD_UNIT_DIR=%{_unitdir} \
-DCMAKE_BUILD_TYPE=%{build_type} \
-DRW_SHARE_DIR=%rw_share_dir \
+ -DUPGRADE_DATA_DIR=%upgrade_data_dir \
+ -DUPGRADE_SCRIPT_DIR=%upgrade_script_dir \
+ -DUSER_NAME=%user_name \
+ -DGROUP_NAME=%group_name \
+ -DSMACK_DOMAIN=%smack_domain \
-DBINDIR=%bin_dir
make %{?jobs:-j%jobs}
@@ -88,8 +99,12 @@ fi
%{_unitdir}/webappenc-initializer.service
%{_unitdir}/multi-user.target.wants/webappenc-initializer.service
%{bin_dir}/wae_initializer
-%{rw_share_dir}/wae/app_dek/WAE_APPDEK_KEK_PrivateKey.pem
-%{rw_share_dir}/wae/app_dek/WAE_APPDEK_KEK_PublicKey.pem
+%dir %attr(770, %user_name, %group_name) %{rw_share_dir}/wae
+%dir %attr(770, %user_name, %group_name) %{rw_share_dir}/wae/app_dek
+%attr(660, %user_name, %group_name) %{rw_share_dir}/wae/app_dek/*
+
+%attr(775,root,root) %{upgrade_script_dir}/wae-upgrade.sh
+%{upgrade_data_dir}/wae/app_dek/*
%files devel
%{_includedir}/*
diff --git a/resources/CMakeLists.txt b/resources/CMakeLists.txt
index ae2bc8b..030553c 100644
--- a/resources/CMakeLists.txt
+++ b/resources/CMakeLists.txt
@@ -1,12 +1,33 @@
-################################################################################
-# for resource install
-################################################################################
-
+# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# @file CMakeLists.txt
+# @author Dongsun Lee (ds73.lee@samsung.com)
+# @brief Resource install cmake
+#
INSTALL(FILES
- ${PROJECT_SOURCE_DIR}/resources/WAE_APPDEK_KEK_PublicKey.pem
- ${PROJECT_SOURCE_DIR}/resources/WAE_APPDEK_KEK_PrivateKey.pem
- DESTINATION ${RW_SHARE_DIR}/wae/app_dek/
+ WAE_APPDEK_KEK_PublicKey.pem
+ WAE_APPDEK_KEK_PrivateKey.pem
+ DESTINATION ${RW_SHARE_DIR}/wae/app_dek
PERMISSIONS OWNER_READ
OWNER_WRITE
)
+INSTALL(FILES
+ WAE_APPDEK_KEK_PublicKey.pem
+ WAE_APPDEK_KEK_PrivateKey.pem
+ DESTINATION ${UPGRADE_DATA_DIR}/wae/app_dek
+ PERMISSIONS OWNER_READ
+ OWNER_WRITE
+)
diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt
new file mode 100644
index 0000000..c73467e
--- /dev/null
+++ b/scripts/CMakeLists.txt
@@ -0,0 +1,16 @@
+# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+CONFIGURE_FILE(wae-upgrade.sh.in wae-upgrade.sh @ONLY)
+INSTALL(FILES wae-upgrade.sh DESTINATION ${UPGRADE_SCRIPT_DIR})
diff --git a/scripts/wae-upgrade.sh.in b/scripts/wae-upgrade.sh.in
new file mode 100755
index 0000000..652962b
--- /dev/null
+++ b/scripts/wae-upgrade.sh.in
@@ -0,0 +1,30 @@
+#!/bin/bash
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# @file wae-upgrade.sh.in
+# @author Kyungwook Tak (k.tak@samsung.com)
+# @brief Platform upgrade support
+
+WAE_DIR=@RW_SHARE_DIR@/wae
+
+mv @UPGRADE_DATA_DIR@/wae $WAE_DIR
+
+chsmack -a "@SMACK_DOMAIN@" $WAE_DIR -r
+chown -R @USER_NAME@:@GROUP_NAME@ $WAE_DIR
+chmod 770 $WAE_DIR
+chmod 770 $WAE_DIR/app_dek
+chmod 660 $WAE_DIR/app_dek/*
diff --git a/srcs/key_handler.c b/srcs/key_handler.c
index cf3de1d..4607fdd 100644
--- a/srcs/key_handler.c
+++ b/srcs/key_handler.c
@@ -211,7 +211,7 @@ static int _extract_pkg_id_from_file_name(const char *file_name, char *pkg_id)
start = start + strlen(APP_DEK_FILE_PFX) + 1;
char *end = strstr(file_name, ".adek");
- if (start == NULL) {
+ if (end == NULL) {
WAE_SLOGE("WAE: Fail to extract pkgid from APP_DEK file. file_name=%s", file_name);
return WAE_ERROR_FILE;
}
@@ -236,6 +236,60 @@ int _write_encrypted_app_dek_to_file(const char *pkg_id, const raw_buffer_s *enc
return _write_to_file(path, encrypted);
}
+int _load_preloaded_app_dek(
+ const raw_buffer_s *prikey, const char *filepath, const char *pkg_id)
+{
+ raw_buffer_s *encrypted_dek = NULL;
+ raw_buffer_s *dek = NULL;
+ raw_buffer_s *iv = NULL;
+ crypto_element_s *ce = NULL;
+
+ int ret = _read_from_file(filepath, &encrypted_dek);
+ if (ret != WAE_ERROR_NONE) {
+ WAE_SLOGW("Failed to read file. It will be ignored. file=%s", filepath);
+ return ret;
+ }
+
+ ret = decrypt_app_dek(prikey, APP_DEK_KEK_PRIKEY_PASSWORD, encrypted_dek, &dek);
+ if (ret != WAE_ERROR_NONE) {
+ WAE_SLOGW("Failed to decrypt dek. It will be ignored. file=%s", filepath);
+ goto finish;
+ }
+
+ iv = buffer_create(IV_LEN);
+ if (iv == NULL) {
+ ret = WAE_ERROR_MEMORY;
+ goto finish;
+ }
+
+ memcpy(iv->buf, AES_CBC_IV, iv->size);
+
+ ce = crypto_element_create(dek, iv);
+ if (ce == NULL) {
+ ret = WAE_ERROR_MEMORY;
+ goto finish;
+ }
+
+ ret = save_to_key_manager(pkg_id, pkg_id, WAE_PRELOADED_APP, ce);
+ if (ret == WAE_ERROR_KEY_EXISTS) {
+ WAE_SLOGI("Key Manager already has dek. It will be ignored. file=%s", filepath);
+ } else if (ret != WAE_ERROR_NONE) {
+ WAE_SLOGW("Fail to add APP DEK to key-manager. file=%s", filepath);
+ }
+
+finish:
+ buffer_destroy(encrypted_dek);
+
+ if (ce == NULL) {
+ buffer_destroy(dek);
+ buffer_destroy(iv);
+ } else {
+ crypto_element_destroy(ce);
+ }
+
+ return ret;
+}
+
int get_app_ce(uid_t uid, const char *pkg_id, wae_app_type_e app_type,
bool create_for_migrated_app, const crypto_element_s **pce)
{
@@ -438,7 +492,7 @@ int create_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce)
}
// store APP_DEK in cache
- _add_app_ce_to_cache(pkg_id, ce);
+ ret = _add_app_ce_to_cache(pkg_id, ce);
if (ret != WAE_ERROR_NONE) {
WAE_SLOGE("Failed to add ce to cache for pkg_id(%s) ret(%d)", pkg_id, ret);
goto error;
@@ -479,15 +533,7 @@ int load_preloaded_app_deks(bool reload)
int ret = WAE_ERROR_NONE;
char pkg_id[MAX_PKGID_LEN] = {0, };
-
char file_path_buff[MAX_PATH_LEN];
- raw_buffer_s *encrypted_dek = NULL;
- raw_buffer_s *dek = NULL;
- raw_buffer_s *iv = NULL;
- raw_buffer_s *prikey = NULL;
- crypto_element_s *ce = NULL;
-
- int error_during_loading = 0;
if (!reload) {
// check if all deks were already loaded into key-manager.
@@ -497,6 +543,7 @@ int load_preloaded_app_deks(bool reload)
return ret;
}
+ raw_buffer_s *prikey = NULL;
ret = _get_app_dek_kek(&prikey);
if (ret != WAE_ERROR_NONE) {
@@ -508,6 +555,7 @@ int load_preloaded_app_deks(bool reload)
if (dir == NULL) {
WAE_SLOGE("Fail to open dir. dir=%s", _get_dek_store_path());
+ buffer_destroy(prikey);
return WAE_ERROR_FILE;
}
@@ -515,11 +563,9 @@ int load_preloaded_app_deks(bool reload)
struct dirent *result = NULL;
while (true) {
- int error = readdir_r(dir, &entry, &result);
-
- if (error != 0) {
+ if (readdir_r(dir, &entry, &result) != 0) {
ret = WAE_ERROR_FILE;
- goto error;
+ break;
}
// readdir_r returns NULL in *result if the end
@@ -537,7 +583,7 @@ int load_preloaded_app_deks(bool reload)
if (ret < 0) {
WAE_SLOGE("Failed to make file path by snprintf.");
ret = WAE_ERROR_INVALID_PARAMETER; /* buffer size too small */
- goto error;
+ break;
}
ret = _extract_pkg_id_from_file_name(entry.d_name, pkg_id);
@@ -548,75 +594,22 @@ int load_preloaded_app_deks(bool reload)
continue;
}
- ret = _read_from_file(file_path_buff, &encrypted_dek);
-
- if (ret != WAE_ERROR_NONE || encrypted_dek == NULL) {
- ++error_during_loading;
- WAE_SLOGW("Failed to read file. It will be ignored. file=%s", file_path_buff);
- continue;
- }
-
- ret = decrypt_app_dek(prikey, APP_DEK_KEK_PRIKEY_PASSWORD, encrypted_dek, &dek);
-
- buffer_destroy(encrypted_dek);
- encrypted_dek = NULL;
-
- if (ret != WAE_ERROR_NONE || dek == NULL) {
- ++error_during_loading;
- WAE_SLOGW("Failed to decrypt dek. It will be ignored. file=%s",
- file_path_buff);
- continue;
- }
- iv = buffer_create(IV_LEN);
- if (iv == NULL) {
- ++error_during_loading;
- buffer_destroy(dek);
- dek = NULL;
- continue;
- }
-
- memcpy(iv->buf, AES_CBC_IV, iv->size);
-
- ce = crypto_element_create(dek, iv);
- if (ce == NULL) {
- ++error_during_loading;
- buffer_destroy(iv);
- iv = NULL;
- buffer_destroy(dek);
- dek = NULL;
- continue;
- }
-
- ret = save_to_key_manager(pkg_id, pkg_id, WAE_PRELOADED_APP, ce);
-
- if (ret == WAE_ERROR_KEY_EXISTS) {
- WAE_SLOGI("Key Manager already has dek. It will be ignored. file=%s",
- file_path_buff);
- } else if (ret != WAE_ERROR_NONE) {
- ++error_during_loading;
- WAE_SLOGW("Fail to add APP DEK to key-manager. file=%s", file_path_buff);
- }
-
- crypto_element_destroy(ce);
- ce = NULL;
- }
-
- ret = set_app_deks_loaded_to_key_manager();
-
-error:
- if (ret != WAE_ERROR_NONE) {
- if (ce) {
- crypto_element_destroy(ce);
+ ret = _load_preloaded_app_dek(prikey, file_path_buff, pkg_id);
+ if (ret != WAE_ERROR_NONE && ret != WAE_ERROR_KEY_EXISTS) {
+ WAE_SLOGW("Failed to load app dek(%s) ret(%d)", file_path_buff, ret);
} else {
- buffer_destroy(dek);
- buffer_destroy(iv);
+ WAE_SLOGI("Successfully load app dek(%s)", file_path_buff);
+ ret = WAE_ERROR_NONE;
}
}
buffer_destroy(prikey);
closedir(dir);
- return ret;
+ if (ret != WAE_ERROR_NONE)
+ return ret;
+ else
+ return set_app_deks_loaded_to_key_manager();
}
int remove_app_ce(uid_t uid, const char *pkg_id, wae_app_type_e app_type)
diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
index bf7bb79..99eafd5 100644
--- a/systemd/CMakeLists.txt
+++ b/systemd/CMakeLists.txt
@@ -1,8 +1,16 @@
-CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/systemd/webappenc-initializer.service.in
- ${CMAKE_SOURCE_DIR}/systemd/webappenc-initializer.service @ONLY)
-
-INSTALL(FILES
- ${CMAKE_SOURCE_DIR}/systemd/webappenc-initializer.service
- DESTINATION
- ${SYSTEMD_UNIT_DIR}
-)
+# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+CONFIGURE_FILE(webappenc-initializer.service.in webappenc-initializer.service @ONLY)
+INSTALL(FILES webappenc-initializer.service DESTINATION ${SYSTEMD_UNIT_DIR})
diff --git a/systemd/webappenc-initializer.service.in b/systemd/webappenc-initializer.service.in
index 768552e..ed0bebe 100644
--- a/systemd/webappenc-initializer.service.in
+++ b/systemd/webappenc-initializer.service.in
@@ -5,11 +5,11 @@ Requires=central-key-manager.service
After=central-key-manager.service
[Service]
-User=security_fw
-Group=security_fw
+User=@USER_NAME@
+Group=@GROUP_NAME@
Type=oneshot
-ExecStart=/usr/bin/wae_initializer
-SmackProcessLabel=System
+ExecStart=@BINDIR@/wae_initializer
+SmackProcessLabel=@SMACK_DOMAIN@
[Install]
WantedBy=multi-user.target