summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDongsun Lee <ds73.lee@samsung.com>2019-01-19 12:21:20 (GMT)
committerDongsun Lee <ds73.lee@samsung.com>2019-05-24 04:11:38 (GMT)
commitfd2d39061c3fde9b2faba0a4146eb79114c29660 (patch)
treec79254c5d40f0ad01d8f809de5754db369f0ff88
parent4923a69e93f516640fd5230880ac18e3194f0ee7 (diff)
downloadlibwebappenc-fd2d39061c3fde9b2faba0a4146eb79114c29660.zip
libwebappenc-fd2d39061c3fde9b2faba0a4146eb79114c29660.tar.gz
libwebappenc-fd2d39061c3fde9b2faba0a4146eb79114c29660.tar.bz2
Change-Id: I5a5b6935ee1908bd9be7edf0087fcd17d61b9fd2 Signed-off-by: Dongsun Lee <ds73.lee@samsung.com>
-rw-r--r--CMakeLists.txt5
-rw-r--r--packaging/libwebappenc.spec2
-rw-r--r--resources/CMakeLists.txt7
-rw-r--r--resources/README_APP_DEK2
-rw-r--r--resources/WAE_APPDEK_KEK_PrivateKey.pem30
-rw-r--r--resources/WAE_APPDEK_KEK_PublicKey.pem9
-rw-r--r--srcs/crypto_service.c195
-rw-r--r--srcs/crypto_service.h7
-rw-r--r--srcs/key_handler.c79
-rw-r--r--srcs/key_handler.h3
-rw-r--r--srcs/key_manager.c49
-rw-r--r--tests/CMakeLists.txt1
-rw-r--r--tests/internals.cpp64
-rw-r--r--tests/resources/CMakeLists.txt19
-rw-r--r--tests/resources/prikey.pem30
-rw-r--r--tests/resources/pubkey.pem9
-rw-r--r--tests/test-helper.cpp31
17 files changed, 74 insertions, 468 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 27a4fee..2d1f806 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -57,6 +57,11 @@ ADD_DEFINITIONS("-DSMACK_ENABLED")
ADD_DEFINITIONS("-DSQLCIPHER_HAS_CODEC")
ADD_DEFINITIONS("-DBINDIR=\"${BINDIR}\"")
+# Set seed for dek_kek
+STRING(TIMESTAMP SEED "%Y%m%d_%H:%M:%S")
+ADD_DEFINITIONS("-DDEK_KEK_SEED=\"${SEED}\"")
+
+
# IF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
ADD_DEFINITIONS("-DTIZEN_DEBUG_ENABLE")
ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG")
diff --git a/packaging/libwebappenc.spec b/packaging/libwebappenc.spec
index 8db7728..8b0bea6 100644
--- a/packaging/libwebappenc.spec
+++ b/packaging/libwebappenc.spec
@@ -96,7 +96,6 @@ fi
%{bin_dir}/wae_initializer
%dir %attr(770, %user_name, %group_name) %{rw_share_dir}/wae
%dir %attr(770, %user_name, %group_name) %{rw_share_dir}/wae/app_dek
-%attr(660, %user_name, %group_name) %{rw_share_dir}/wae/app_dek/*
%files devel
%{_includedir}/*
@@ -109,4 +108,3 @@ fi
%license LICENSE.BSL-1.0
%{bin_dir}/wae_tests
%{_libdir}/libwae_tests_common.so*
-%attr(660, %user_name, %group_name) %{rw_share_dir}/wae/test/app_dek/*
diff --git a/resources/CMakeLists.txt b/resources/CMakeLists.txt
index ffc566e..2fb09cc 100644
--- a/resources/CMakeLists.txt
+++ b/resources/CMakeLists.txt
@@ -16,10 +16,7 @@
# @author Dongsun Lee (ds73.lee@samsung.com)
# @brief Resource install cmake
#
-INSTALL(FILES
- WAE_APPDEK_KEK_PublicKey.pem
- WAE_APPDEK_KEK_PrivateKey.pem
+
+INSTALL(DIRECTORY
DESTINATION ${RW_SHARE_DIR}/wae/app_dek
- PERMISSIONS OWNER_READ
- OWNER_WRITE
)
diff --git a/resources/README_APP_DEK b/resources/README_APP_DEK
index 724b8c2..81667fb 100644
--- a/resources/README_APP_DEK
+++ b/resources/README_APP_DEK
@@ -1 +1 @@
-The directory, app_dek, contains APP_DEK files encrypted with APP_DEK_KEK public key.
+The directory, app_dek, contains APP_DEK files encrypted with APP_DEK_KEK key.
diff --git a/resources/WAE_APPDEK_KEK_PrivateKey.pem b/resources/WAE_APPDEK_KEK_PrivateKey.pem
deleted file mode 100644
index e27950c..0000000
--- a/resources/WAE_APPDEK_KEK_PrivateKey.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F4C783D75B0679F29398E9A3CAB4733D
-
-kxgW1wGX3TZZ/wtv3g4AOLlZCHoQ6uXVQ0h2ofWjnJs8tas/alR6o8UBRIqCw44t
-znUvQ8HlThvzhGgxje/yDDSxCy9mqhgsi2XeTtAeUbMhFL6UArb3cs6M4a37lYoT
-llZdFyYkRWJ3vRS33TDrhXDV6GjZWQ05SJ0OYdPJsmA1ENwdH+5NE/xLnqLdTtWr
-O3Mn2vi6P9CVqZroCvYBzUaypGcmFhjTIbWmB6inXjoXyddzerh7PTDBDWWacBab
-C7gcZC5SrK5YOt6f54ANsVQO8jnkLDx95gUSHYthX1hrQ3Da5Gb6nfYP9RNrHCum
-O8RKxSOvv8zwbMlzqtld8xCOb7Nh04f8bofrzZVLZ0T92FcyFQmt1F4U6DNQqHsn
-AAqxRxUWsC5k2dX9uZ6RCpEzNYWyPvNe24I/Kt01Geoh1NtCns8CVZcrxyMMtZRK
-ZJnYhvNDXDQCDtMJjRBiEXXE++AdA2O6uFoGX3alKwtxAIjGI++pSRlz1GTps26x
-5mmLil5wb3KGBfMN4L0R0heDOeiPQrNv7CwX8OlHtA1OKFBtViWdd/uZ2hAko1Tz
-YkoYpHPQOV5LZ7dem/XNnwwel9g6AkHhLNJv5ih4Y0CQfPBSs+iiLbMHh/NaGDD9
-+kbcf5Lk4FQGVbJDW9nDAXT6jjMyliTI+hIh5fM2k22qbq6OqBkW6EbOQDMP/R2P
-LhFqTgHceNt0mqpcDJdJQ0YKbxVpdkv5f1C4rW+pgUEeHDCQ7vPe4p44xQJ/Z/7Y
-AtPwPKzPPJze2cfoUkZd9jXN9g2v2555xnQZU78IEm1nPVBA+hLIaqN1hu1Lkzxy
-CwFNo7bMVh3FSBmZVtJlcLsyLxZ9UdoaSr+anfA0lWJPiBzE0whQljZp56l1rL1V
-1K8m/dc9rLJ3uDQmYoSRmBZG5zZlVWCip+R9VAHMxRi1x29dFk1jbtQscr63dMI8
-0eOUf28Mw719WWUZVzD08b431DPqWiqrpexUKEXPW8EsrINPfIg180QYt1VUoshs
-Tqi/LKM0OV6nlMGh9ieCK8WzVDW8F16krSLo6eJpIPYPZgkHE7fC7Jws1kpUrSnF
-GgT6rBA97tJ0EalinuFXbip1X087Quz5USURq18f7/B6nFu0Kd4GhlICsR24j3eB
-75SsTNmfUcko8s5QT4rwONEwtRffkGbbNEisCPcleJV68zHvN58mfD7Dl8W3zIO4
-Qk6B1Xy0C4EEniKFfjxIaMEaxrqntBIc+nZE6/+UoGp/Hj9r5ZdzQX2j4837IIdR
-CxT4tjXiWBA6u3WaLAZUSM0W0SEORUF9NwzlId1b8A3WxA8XewhAKPaJEr677vzZ
-083+neUOuXqqs597romLH1omuffxmHxBzmP+koUtemP78XxCBVWUAB1T+fBRJMz6
-9ZEgDWrMntJ1IaFoGdOWZELgwcXJ0KwWFuk+sieZ5WCCzNmFli9WPN/xSqwmdYw6
-RK9er5Vc8D9mAlmGlz2mpAmzNJHH30zYKT/d0XzBS8z6WBRthaTS3NLsiSeWdELH
-b5+WEMOiKvZ19AXU2unHw/XpeVnAISOHhumAqFCwXkjVoMt8LMDawt6ra8N8G+gD
------END RSA PRIVATE KEY-----
diff --git a/resources/WAE_APPDEK_KEK_PublicKey.pem b/resources/WAE_APPDEK_KEK_PublicKey.pem
deleted file mode 100644
index f0dfcea..0000000
--- a/resources/WAE_APPDEK_KEK_PublicKey.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0kWtjpRO7Zh2KX2naVE/
-BDJdrfwK9xexfNA0MkY2VJ4J2AKMYTj1D1jntceryupCEHOvP3rum+WsFvPXduz9
-+VKnSsSqj4jcTUubtpDUGA5G79IqLEPFuSBaqI8Uwkzd08pE+s30oaJDnNazMhSq
-8JkqBPoCCwtUs73ruE9VbtsBO/kTlASIAfe8nXqcJLcDQgWYhizjJw0Pi6d74oCw
-S2OTvQDNvsXfFnA0ZJEEYw/rZLirj7OHoOjz+Sh5N+1uA3Up6SPPEbHuP6L12Yxq
-Hdy7gnJXodLhvE/cR4SN9VW7+qmCMBjmLkBejGrEX3STS9sLI7MZHu9Y26dwuYb4
-+wIDAQAB
------END PUBLIC KEY-----
diff --git a/srcs/crypto_service.c b/srcs/crypto_service.c
index c28c0cd..dcc172e 100644
--- a/srcs/crypto_service.c
+++ b/srcs/crypto_service.c
@@ -35,6 +35,11 @@
#include "wae_log.h"
#define AES_256_KEY_SIZE 32
+#define KEK_IV_LEN 16
+#define PBKDF2_ITERATION 1024
+
+
+crypto_element_s *dek_kek = NULL;
static bool __initialized = false;
@@ -47,186 +52,74 @@ void _initialize()
}
}
-int encrypt_app_dek(const raw_buffer_s *pubkey, const raw_buffer_s *dek,
- raw_buffer_s **pencrypted_dek)
+int _generate_dek_kek()
{
- if (!is_buffer_valid(pubkey) || !is_buffer_valid(dek) || pencrypted_dek == NULL)
- return WAE_ERROR_INVALID_PARAMETER;
-
int ret = WAE_ERROR_NONE;
- EVP_PKEY *key = NULL;
- EVP_PKEY_CTX *ctx = NULL;
- raw_buffer_s *encrypted_dek = NULL;
- size_t len = 0;
-
- _initialize();
-
- BIO *bio = BIO_new(BIO_s_mem());
- BIO_write(bio, pubkey->buf, pubkey->size);
- key = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL);
-
- if (key == NULL) {
- BIO_reset(bio);
- BIO_write(bio, pubkey->buf, pubkey->size);
- key = d2i_PUBKEY_bio(bio, NULL);
- }
-
- if (key == NULL) {
- ret = WAE_ERROR_FILE;
- WAE_SLOGE("Failt to convert to public key.");
- goto error;
- }
-
- ctx = EVP_PKEY_CTX_new(key, NULL);
-
- if (ctx == NULL) {
- WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_CTX_new failed");
- ret = WAE_ERROR_CRYPTO;
- goto error;
- }
+ raw_buffer_s *kek = NULL;
+ raw_buffer_s *iv = NULL;
- if (EVP_PKEY_encrypt_init(ctx) <= 0) {
- WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_encrypt_init failed");
- ret = WAE_ERROR_CRYPTO;
- goto error;
- }
-
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) {
- WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_CTX_set_rsa_padding failed");
- ret = WAE_ERROR_CRYPTO;
- goto error;
- }
-
- /* Determine buffer length */
- if (EVP_PKEY_encrypt(ctx, NULL, &len, dek->buf, dek->size) <= 0) {
- WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_encrypt failed");
- ret = WAE_ERROR_CRYPTO;
+ kek = buffer_create(AES_256_KEY_SIZE);
+ if (kek == NULL) {
+ ret = WAE_ERROR_MEMORY;
goto error;
}
-
- if ((encrypted_dek = buffer_create(len)) == NULL) {
- WAE_SLOGE("Encrypt APP DEK Failed. OPENSSL_malloc failed");
+ iv = buffer_create(KEK_IV_LEN);
+ if (iv == NULL) {
ret = WAE_ERROR_MEMORY;
goto error;
}
- if (EVP_PKEY_encrypt(ctx, encrypted_dek->buf, &encrypted_dek->size, dek->buf,
- dek->size) <= 0) {
- WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_encrypt failed");
+ ret = PKCS5_PBKDF2_HMAC_SHA1(
+ DEK_KEK_SEED, -1,
+ NULL, 0,
+ PBKDF2_ITERATION,
+ AES_256_KEY_SIZE,
+ kek->buf);
+ if (ret == 0) {
ret = WAE_ERROR_CRYPTO;
goto error;
+ } else {
+ ret = WAE_ERROR_NONE;
}
- *pencrypted_dek = encrypted_dek;
-
+ dek_kek = crypto_element_create(kek, iv);
error:
- if (bio != NULL)
- BIO_free(bio);
-
- if (key != NULL)
- EVP_PKEY_free(key);
-
- if (ctx != NULL)
- EVP_PKEY_CTX_free(ctx);
-
- if (ret != WAE_ERROR_NONE)
- buffer_destroy(encrypted_dek);
+ if (ret != WAE_ERROR_NONE) {
+ if (kek != NULL)
+ buffer_destroy(kek);
+ if (iv != NULL)
+ buffer_destroy(iv);
+ }
return ret;
}
-int decrypt_app_dek(const raw_buffer_s *prikey, const char *prikey_pass,
- const raw_buffer_s *encrypted_dek, raw_buffer_s **pdek)
+int encrypt_preloaded_app_dek(const raw_buffer_s *dek, raw_buffer_s **pencrypted_dek)
{
- if (!is_buffer_valid(prikey) || !is_buffer_valid(encrypted_dek) || pdek == NULL)
- return WAE_ERROR_INVALID_PARAMETER;
-
int ret = WAE_ERROR_NONE;
- EVP_PKEY_CTX *ctx = NULL;
- raw_buffer_s *dek = NULL;
- size_t len = 0;
-
- _initialize();
- BIO *bio = BIO_new(BIO_s_mem());
- if (bio == NULL)
- return WAE_ERROR_MEMORY;
-
- BIO_write(bio, prikey->buf, prikey->size);
- EVP_PKEY *key = PEM_read_bio_PrivateKey(bio, NULL, NULL, (void *)prikey_pass);
-
- if (key == NULL) {
- BIO_reset(bio);
- BIO_write(bio, prikey->buf, prikey->size);
- key = d2i_PrivateKey_bio(bio, NULL);
- }
-
- if (key == NULL) {
- ret = WAE_ERROR_FILE;
- WAE_SLOGE("Failed to convert to public key.");
- goto error;
- }
-
- ctx = EVP_PKEY_CTX_new(key, NULL);
-
- if (ctx == NULL) {
- WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_CTX_new failed");
- ret = WAE_ERROR_CRYPTO;
- goto error;
+ if (dek_kek == NULL) {
+ ret = _generate_dek_kek();
+ if (ret != WAE_ERROR_NONE)
+ return ret;
}
- if (EVP_PKEY_decrypt_init(ctx) <= 0) {
- WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_decrypt_init failed");
- ret = WAE_ERROR_CRYPTO;
- goto error;
- }
-
- if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) {
- WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_CTX_set_rsa_padding failed");
- ret = WAE_ERROR_CRYPTO;
- goto error;
- }
-
- /* Determine buffer length */
- if (EVP_PKEY_decrypt(ctx, NULL, &len, encrypted_dek->buf, encrypted_dek->size) <= 0) {
- WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_decrypt failed");
- ret = WAE_ERROR_CRYPTO;
- goto error;
- }
+ return encrypt_aes_cbc(dek_kek, dek, pencrypted_dek);
+}
- dek = buffer_create(len);
- if (dek == NULL) {
- WAE_SLOGE("Decrypt APP DEK Failed. OPENSSL_malloc failed");
- ret = WAE_ERROR_MEMORY;
- goto error;
- }
+int decrypt_preloaded_app_dek(const raw_buffer_s *encrypted_dek, raw_buffer_s **pdek)
+{
+ int ret = WAE_ERROR_NONE;
- if (EVP_PKEY_decrypt(ctx, dek->buf, &dek->size, encrypted_dek->buf,
- encrypted_dek->size) <= 0) {
- WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_decrypt failed");
- ret = WAE_ERROR_CRYPTO;
- goto error;
+ if (dek_kek == NULL) {
+ ret = _generate_dek_kek();
+ if (ret != WAE_ERROR_NONE)
+ return ret;
}
- *pdek = dek;
-
-error:
- if (bio != NULL)
- BIO_free(bio);
-
- if (key != NULL)
- EVP_PKEY_free(key);
-
- if (ctx != NULL)
- EVP_PKEY_CTX_free(ctx);
-
- if (ret != WAE_ERROR_NONE)
- buffer_destroy(dek);
-
- return ret;
+ return decrypt_aes_cbc(dek_kek, encrypted_dek, pdek);
}
-
int encrypt_aes_cbc(const crypto_element_s *ce, const raw_buffer_s *data,
raw_buffer_s **pencrypted_data)
{
diff --git a/srcs/crypto_service.h b/srcs/crypto_service.h
index c6340ae..a2d7412 100644
--- a/srcs/crypto_service.h
+++ b/srcs/crypto_service.h
@@ -28,10 +28,9 @@ extern "C" {
#include "types.h"
-int encrypt_app_dek(const raw_buffer_s *pubkey, const raw_buffer_s *dek,
- raw_buffer_s **pencrypted_dek);
-int decrypt_app_dek(const raw_buffer_s *prikey, const char *prikey_pass,
- const raw_buffer_s *encrypted_dek, raw_buffer_s **pdek);
+
+int encrypt_preloaded_app_dek(const raw_buffer_s *dek, raw_buffer_s **pencrypted_dek);
+int decrypt_preloaded_app_dek(const raw_buffer_s *encrypted_dek, raw_buffer_s **pdek);
int encrypt_aes_cbc(const crypto_element_s *ce, const raw_buffer_s *data,
diff --git a/srcs/key_handler.c b/srcs/key_handler.c
index a60142e..c198d19 100644
--- a/srcs/key_handler.c
+++ b/srcs/key_handler.c
@@ -104,16 +104,6 @@ int _get_random(raw_buffer_s *rb)
return WAE_ERROR_NONE;
}
-const char *_get_dek_kek_pub_key_path()
-{
- return tzplatform_mkpath4(TZ_SYS_SHARE, "wae", "app_dek", "WAE_APPDEK_KEK_PublicKey.pem");
-}
-
-const char *_get_dek_kek_pri_key_path()
-{
- return tzplatform_mkpath4(TZ_SYS_SHARE, "wae", "app_dek", "WAE_APPDEK_KEK_PrivateKey.pem");
-}
-
const char *_get_dek_store_path()
{
return tzplatform_mkpath3(TZ_SYS_SHARE, "wae", "app_dek");
@@ -197,8 +187,8 @@ error:
return ret;
}
-typedef int(*entry_callback)(const char *path, const struct dirent *entry, void *user_data);
-static int traverse_directory(const char *path, entry_callback ecb, void *user_data)
+typedef int(*entry_callback)(const char *path, const struct dirent *entry);
+static int traverse_directory(const char *path, entry_callback ecb)
{
DIR *dir = opendir(path);
if (dir == NULL) {
@@ -228,7 +218,7 @@ static int traverse_directory(const char *path, entry_callback ecb, void *user_d
continue;
}
- int _ret = ecb(path, result, user_data);
+ int _ret = ecb(path, result);
if (_ret != WAE_ERROR_NONE)
ret = _ret;
}
@@ -243,10 +233,8 @@ static void _remove_file(const char *path)
}
static int _entry_callback_remove_all(
- const char *path, const struct dirent *entry, void *user_data)
+ const char *path, const struct dirent *entry)
{
- (void) user_data; // TODO: use UNUSED macro
-
char file_path_buff[MAX_PATH_LEN] = {0, };
if ((unsigned)snprintf(file_path_buff, sizeof(file_path_buff), "%s/%s",
path, entry->d_name) >= sizeof(file_path_buff))
@@ -254,7 +242,7 @@ static int _entry_callback_remove_all(
int ret = WAE_ERROR_NONE;
if (entry->d_type == DT_DIR) {
- int _ret = traverse_directory(file_path_buff, _entry_callback_remove_all, NULL);
+ int _ret = traverse_directory(file_path_buff, _entry_callback_remove_all);
if (_ret != WAE_ERROR_NONE)
ret = _ret;
rmdir(file_path_buff);
@@ -266,7 +254,7 @@ static int _entry_callback_remove_all(
void _remove_directory(const char *path)
{
- traverse_directory(path, _entry_callback_remove_all, NULL);
+ traverse_directory(path, _entry_callback_remove_all);
WAE_SLOGD("remove directory(%s)", path);
rmdir(path);
@@ -323,8 +311,7 @@ int _write_encrypted_app_dek_to_file(const char *pkg_id, const raw_buffer_s *enc
return _write_to_file(path, encrypted);
}
-int _load_preloaded_app_dek(
- const raw_buffer_s *prikey, const char *filepath, const char *pkg_id)
+int _load_preloaded_app_dek(const char *filepath, const char *pkg_id)
{
raw_buffer_s *encrypted_dek = NULL;
raw_buffer_s *dek = NULL;
@@ -337,7 +324,7 @@ int _load_preloaded_app_dek(
return ret;
}
- ret = decrypt_app_dek(prikey, APP_DEK_KEK_PRIKEY_PASSWORD, encrypted_dek, &dek);
+ ret = decrypt_preloaded_app_dek(encrypted_dek, &dek);
if (ret != WAE_ERROR_NONE) {
WAE_SLOGW("Failed to decrypt dek. It will be ignored. file=%s", filepath);
goto finish;
@@ -536,7 +523,6 @@ int get_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce)
int create_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce)
{
raw_buffer_s *encrypted_app_dek = NULL;
- raw_buffer_s *pubkey = NULL;
raw_buffer_s *dek = buffer_create(DEK_LEN);
raw_buffer_s *iv = buffer_create(sizeof(AES_CBC_IV));
crypto_element_s *ce = crypto_element_create(dek, iv);
@@ -556,14 +542,7 @@ int create_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce)
// copy default iv for preloaded app
memcpy(iv->buf, AES_CBC_IV, sizeof(AES_CBC_IV));
- ret = _read_from_file(_get_dek_kek_pub_key_path(), &pubkey);
-
- if (ret != WAE_ERROR_NONE) {
- WAE_SLOGE("WAE: Fail to read APP_DEK_KEK Public Key");
- goto error;
- }
-
- ret = encrypt_app_dek(pubkey, dek, &encrypted_app_dek);
+ ret = encrypt_preloaded_app_dek(dek, &encrypted_app_dek);
if (ret != WAE_ERROR_NONE) {
WAE_SLOGE("WAE: Fail to encrypt APP_DEK with APP_DEK_KEK");
@@ -592,7 +571,6 @@ int create_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce)
error:
buffer_destroy(encrypted_app_dek);
- buffer_destroy(pubkey);
if (ret != WAE_ERROR_NONE) {
if (ce) {
@@ -606,29 +584,13 @@ error:
return ret;
}
-int _get_app_dek_kek(raw_buffer_s **pdek_kek)
-{
-#if 0
- return get_dek_kek_from_key_manager(pdek_kek);
-#else
- return _read_from_file(_get_dek_kek_pri_key_path(), pdek_kek);
-#endif
-}
-
static int _entry_callback_load_preloaded_adeks(
- const char *path, const struct dirent *entry, void *prikey)
+ const char *path, const struct dirent *entry)
{
- const char *pub_key_path = _get_dek_kek_pub_key_path();
- const char *pri_key_path = _get_dek_kek_pri_key_path();
-
char file_path_buff[MAX_PATH_LEN] = {0, };
if ((unsigned)snprintf(file_path_buff, sizeof(file_path_buff), "%s/%s", path, entry->d_name) >= sizeof(file_path_buff))
return WAE_ERROR_INVALID_PARAMETER; /* buffer size too small */
- if (strcmp(file_path_buff, pub_key_path) == 0 ||
- strcmp(file_path_buff, pri_key_path) == 0)
- return WAE_ERROR_NONE; /* skip KEK files */
-
if (entry->d_type != DT_REG || strstr(entry->d_name, APP_DEK_FILE_PFX) == NULL) {
if (entry->d_type == DT_DIR)
WAE_SLOGW(
@@ -648,7 +610,7 @@ static int _entry_callback_load_preloaded_adeks(
return ret;
}
- ret = _load_preloaded_app_dek((raw_buffer_s *)prikey, file_path_buff, pkg_id);
+ ret = _load_preloaded_app_dek(file_path_buff, pkg_id);
if (ret == WAE_ERROR_NONE || ret == WAE_ERROR_KEY_EXISTS) {
WAE_SLOGI("Successfully load app dek(%s)", file_path_buff);
return WAE_ERROR_NONE;
@@ -666,7 +628,6 @@ int load_preloaded_app_deks()
const char *dek_store_path = _get_dek_store_path();
- raw_buffer_s *prikey = NULL;
DIR *dir = NULL;
// check if all deks were already loaded into key-manager.
@@ -686,34 +647,18 @@ int load_preloaded_app_deks()
}
}
- ret = _get_app_dek_kek(&prikey);
- if (ret != WAE_ERROR_NONE) {
- WAE_SLOGE("Fail to get APP_DEK_KEK Private Key. ret(%d)", ret);
- goto out;
- }
-
// close dek store dir fd not to affect the traverse_directory call
closedir(dir);
dir = NULL;
- ret = traverse_directory(dek_store_path, _entry_callback_load_preloaded_adeks, prikey);
+ ret = traverse_directory(dek_store_path, _entry_callback_load_preloaded_adeks);
if (ret != WAE_ERROR_NONE)
WAE_SLOGE("Fail when traverse dek store directory. ret(%d)", ret);
out:
- if (prikey != NULL)
- buffer_destroy(prikey);
-
if (dir != NULL)
closedir(dir);
- // remove dek store after loade done even though it's partially failed
- // because malware can still put the file in dek store if it still system service's
- // ownership and they can break this logic by inserting any file to dek store path.
- // If KEK private key is inserted to key-manager with initial-value feature, malware
- // cannot insert/encrypt/decrypt app dek so it's fine on preloaded app security but
- // if we handle errors related loading file, malware can at least occur webappenc
- // initializer service failure.
_remove_directory(dek_store_path);
return ret;
diff --git a/srcs/key_handler.h b/srcs/key_handler.h
index f5ce3e4..871fe60 100644
--- a/srcs/key_handler.h
+++ b/srcs/key_handler.h
@@ -42,10 +42,9 @@ int _get_preloaded_app_dek_file_path(const char *pkg_id, size_t size, char *path
int _read_encrypted_app_dek_from_file(const char *pkg_id, raw_buffer_s **pencrypted);
int _write_encrypted_app_dek_to_file(const char *pkg_id, const raw_buffer_s *encrypted);
void _remove_directory(const char *path);
-const char *_get_dek_kek_pub_key_path();
-const char *_get_dek_kek_pri_key_path();
const char *_get_dek_store_path();
+
/* functions for interface */
int get_app_ce(uid_t uid, const char *pkg_id, wae_app_type_e app_type,
bool create_for_migrated_app, const crypto_element_s **pce);
diff --git a/srcs/key_manager.c b/srcs/key_manager.c
index 1f7a96d..ac49bb9 100644
--- a/srcs/key_manager.c
+++ b/srcs/key_manager.c
@@ -283,52 +283,3 @@ int remove_from_key_manager(const char *name, wae_app_type_e type)
return _to_wae_error(ckmc_remove_alias(alias));
}
-
-static int _get_dek_kek_alias(char *alias, size_t buff_len)
-{
- return (unsigned)snprintf(alias, buff_len, "%s%s%s",
- ckmc_owner_id_system,
- ckmc_owner_id_separator,
- APP_DEK_KEK_ALIAS) >= buff_len
- ? WAE_ERROR_INVALID_PARAMETER
- : WAE_ERROR_NONE;
-}
-
-int get_dek_kek_from_key_manager(raw_buffer_s **pdek_kek)
-{
- if (pdek_kek == NULL)
- return WAE_ERROR_INVALID_PARAMETER;
-
- ckmc_raw_buffer_s *buf = NULL;
-
- char alias[MAX_ALIAS_LEN] = {0, };
- int ret = _get_dek_kek_alias(alias, sizeof(alias));
- if (ret != WAE_ERROR_NONE)
- return ret;
-
- ret = _to_wae_error(ckmc_get_data(alias, NULL, &buf));
- if (ret != WAE_ERROR_NONE) {
- WAE_SLOGE("Failed to get dek kek from key-manager. alias(%s) ret(%d)",
- alias, ret);
- return ret;
- }
-
- raw_buffer_s *dek_kek = buffer_create(buf->size);
- if (dek_kek == NULL) {
- ret = WAE_ERROR_MEMORY;
- goto error;
- }
- memcpy(dek_kek->buf, buf->data, dek_kek->size);
-
- *pdek_kek = dek_kek;
-
- WAE_SLOGI("Success to get dek kek from key-manager.");
-
-error:
- ckmc_buffer_free(buf);
-
- if (ret != WAE_ERROR_NONE)
- buffer_destroy(dek_kek);
-
- return ret;
-}
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 07d2082..f2c2353 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -98,4 +98,3 @@ INSTALL(TARGETS ${TARGET_WAE_TEST}
WORLD_EXECUTE
)
-ADD_SUBDIRECTORY(resources)
diff --git a/tests/internals.cpp b/tests/internals.cpp
index 7a13df7..626c998 100644
--- a/tests/internals.cpp
+++ b/tests/internals.cpp
@@ -88,48 +88,8 @@ BOOST_AUTO_TEST_SUITE(SYSTEM)
BOOST_AUTO_TEST_SUITE(INTERNALS)
-BOOST_AUTO_TEST_CASE(encrypt_decrypt_app_dek)
+BOOST_AUTO_TEST_CASE(encrypt_decrypt_preloaded_app_dek)
{
- const char *private_key =
- "-----BEGIN RSA PRIVATE KEY-----\n"
- "MIIEpgIBAAKCAQEA0kWtjpRO7Zh2KX2naVE/BDJdrfwK9xexfNA0MkY2VJ4J2AKM\n"
- "YTj1D1jntceryupCEHOvP3rum+WsFvPXduz9+VKnSsSqj4jcTUubtpDUGA5G79Iq\n"
- "LEPFuSBaqI8Uwkzd08pE+s30oaJDnNazMhSq8JkqBPoCCwtUs73ruE9VbtsBO/kT\n"
- "lASIAfe8nXqcJLcDQgWYhizjJw0Pi6d74oCwS2OTvQDNvsXfFnA0ZJEEYw/rZLir\n"
- "j7OHoOjz+Sh5N+1uA3Up6SPPEbHuP6L12YxqHdy7gnJXodLhvE/cR4SN9VW7+qmC\n"
- "MBjmLkBejGrEX3STS9sLI7MZHu9Y26dwuYb4+wIDAQABAoIBAQCwxqV/vc2RUGDe\n"
- "xuXM0+IvrAw37jJlw4SS0xNexMp+XxMViCbuwYy851h96azS/himbiuCKd6aL/96\n"
- "mGunbtyiFEvSvv5Jh5z2Wr9BQAcfZjla+4w7BIsg9UNifE/OfgLsQBu34xhsHtfK\n"
- "7nFehCOl/I5n+qtnD5KZPe0DWacQdwY4vEAj6YyXdb2bBg+MiwE9KVxGEIUDbklh\n"
- "Is70JXczjLZCS+lIpOKh0/lbZmBZePoUbVTtS+GvtPTpQC/aTHRkwGoEtuPEWpbL\n"
- "0Q1d6zO+vDJVLJlb5FF2haghs8IlqAxkkPjeUTNye+WktRrDQxmPu/blbxQrygfq\n"
- "Au5tBnsxAoGBAOiVtcpg32puo3Yq2Y78oboe9PuHaQP0d3DhwP3/7J0BeNslpjW7\n"
- "E1LWsVsCanxTE8XPUdFfAWgMk7lQqESN0wawGmSmWk+eQPZdjHanBaC8vh7aKjo6\n"
- "q9FdT1DKjrRi23QyDco3f3E7hvM93IAAhw1ikNu8DT19JAxtdeMh5WAZAoGBAOdw\n"
- "6neEvIFXh3RWEv2/GKVhVR8mxDqxmuFdXpOF+YWsK0Tg4uC8jm9kUGnwXgT2Mjke\n"
- "oAwYAFcRbHQQGsxy/vkV16kv4aurTE2hMpjeXCAakwV0Pi2w1f9WnDokjgORkOmc\n"
- "+QK9I8egdFPMVDfQjhLslhSUY0Eb4qcJ6q9WxfQzAoGBANSsAFybk+7oWAO3TtQW\n"
- "YXOk1vIgcYAyS/0mEKixGZS/QdlxZbf/5b17nxTO8rvX416fIftG2ixgQ7vR6us0\n"
- "m9+jq56ZFj9zP4eHJudf9h9yNo5TgwVXnMCGh/4iGbcMJgrrsfxUHu5VNiK5UCSj\n"
- "VtqAZGDoZVryUMIkXQVhezIRAoGBAN7QUIqcGbcUA24257Wu4hVlrUN+WPCAyDEr\n"
- "aL/x/ZV5eXaoYwQlw6LuGpTDOmDgfN2M5FyARuOL/LOIRaSLGXnIU4WoeUSCd8VM\n"
- "6Z9Og7bMnrpjfPEUDBH02hcH1kkNPUwLOZgva2Dm0tdSIcpSWFVTu/E4Io4uQHi8\n"
- "DVqc2ZsNAoGBAJT76ezXNSSv8hnrKqTpwgTicpqhRZ3eFQjyl4HRL26AJMKv++x8\n"
- "4/IsVIwxaHzpbN3nnCjmAHV4gX9YpxVnvYcZflC9WZeDkwNMLmPYb3Zg27EzSMfQ\n"
- "8yrfWJZo3qobipcHf1yohAt4fHk9kUKtPHEwp0xKe//rfhswLb3VCzvQ\n"
- "-----END RSA PRIVATE KEY-----";
-
- const char *public_key =
- "-----BEGIN PUBLIC KEY-----\n"
- "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0kWtjpRO7Zh2KX2naVE/\n"
- "BDJdrfwK9xexfNA0MkY2VJ4J2AKMYTj1D1jntceryupCEHOvP3rum+WsFvPXduz9\n"
- "+VKnSsSqj4jcTUubtpDUGA5G79IqLEPFuSBaqI8Uwkzd08pE+s30oaJDnNazMhSq\n"
- "8JkqBPoCCwtUs73ruE9VbtsBO/kTlASIAfe8nXqcJLcDQgWYhizjJw0Pi6d74oCw\n"
- "S2OTvQDNvsXfFnA0ZJEEYw/rZLirj7OHoOjz+Sh5N+1uA3Up6SPPEbHuP6L12Yxq\n"
- "Hdy7gnJXodLhvE/cR4SN9VW7+qmCMBjmLkBejGrEX3STS9sLI7MZHu9Y26dwuYb4\n"
- "+wIDAQAB\n"
- "-----END PUBLIC KEY-----";
-
raw_buffer_s *dek = buffer_create(32);
auto _raii1 = _safe(dek);
@@ -137,28 +97,19 @@ BOOST_AUTO_TEST_CASE(encrypt_decrypt_app_dek)
BOOST_REQUIRE_MESSAGE(dek != nullptr && dek->size == 32, "Failed to create buffer");
BOOST_REQUIRE_MESSAGE(_get_random(dek) == WAE_ERROR_NONE, "Failed to get random");
- raw_buffer_s pubkey;
-
- pubkey.buf = (unsigned char *)public_key;
- pubkey.size = strlen(public_key);
-
raw_buffer_s *encrypted = nullptr;
- int ret = encrypt_app_dek(&pubkey, dek, &encrypted);
+ int ret = encrypt_preloaded_app_dek(dek, &encrypted);
auto _raii2 = _safe(encrypted);
- BOOST_REQUIRE_MESSAGE(ret == WAE_ERROR_NONE, "Failed to encrypt_app_dek. ec: " << ret);
-
- raw_buffer_s prikey;
- prikey.buf = (unsigned char *)private_key;
- prikey.size = strlen(private_key);
+ BOOST_REQUIRE_MESSAGE(ret == WAE_ERROR_NONE, "Failed to encrypt_preloaded_app_dek. ec: " << ret);
raw_buffer_s *decrypted = nullptr;
- ret = decrypt_app_dek(&prikey, nullptr, encrypted, &decrypted);
+ ret = decrypt_preloaded_app_dek(encrypted, &decrypted);
auto _raii3 = _safe(decrypted);
- BOOST_REQUIRE_MESSAGE(ret == WAE_ERROR_NONE, "Failed to decrypt_app_dek. ec: " << ret);
+ BOOST_REQUIRE_MESSAGE(ret == WAE_ERROR_NONE, "Failed to decrypt_preloaded_app_dek. ec: " << ret);
BOOST_REQUIRE_MESSAGE(Wae::Test::bytes_to_hex(dek) == Wae::Test::bytes_to_hex(decrypted),
"encrypted/decrypted dek isn't valid. "
@@ -394,11 +345,6 @@ BOOST_AUTO_TEST_CASE(load_preloaded_app_dek_tolerances)
BOOST_REQUIRE(load_preloaded_app_deks() == WAE_ERROR_NONE);
BOOST_REQUIRE(does_dek_store_exist() == false);
- // without kek(private key)
- Wae::Test::restore_dek_store();
- BOOST_REQUIRE(load_preloaded_app_deks() == WAE_ERROR_FILE);
- BOOST_REQUIRE(does_dek_store_exist() == false);
-
// with invalid file in dek store
Wae::Test::restore_dummy_preloaded_app_dek_keks();
std::ofstream dst;
diff --git a/tests/resources/CMakeLists.txt b/tests/resources/CMakeLists.txt
deleted file mode 100644
index fa0856f..0000000
--- a/tests/resources/CMakeLists.txt
+++ /dev/null
@@ -1,19 +0,0 @@
-# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-INSTALL(
- FILES pubkey.pem prikey.pem
- DESTINATION ${RW_SHARE_DIR}/wae/test/app_dek
- PERMISSIONS OWNER_READ
-)
diff --git a/tests/resources/prikey.pem b/tests/resources/prikey.pem
deleted file mode 100644
index e27950c..0000000
--- a/tests/resources/prikey.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F4C783D75B0679F29398E9A3CAB4733D
-
-kxgW1wGX3TZZ/wtv3g4AOLlZCHoQ6uXVQ0h2ofWjnJs8tas/alR6o8UBRIqCw44t
-znUvQ8HlThvzhGgxje/yDDSxCy9mqhgsi2XeTtAeUbMhFL6UArb3cs6M4a37lYoT
-llZdFyYkRWJ3vRS33TDrhXDV6GjZWQ05SJ0OYdPJsmA1ENwdH+5NE/xLnqLdTtWr
-O3Mn2vi6P9CVqZroCvYBzUaypGcmFhjTIbWmB6inXjoXyddzerh7PTDBDWWacBab
-C7gcZC5SrK5YOt6f54ANsVQO8jnkLDx95gUSHYthX1hrQ3Da5Gb6nfYP9RNrHCum
-O8RKxSOvv8zwbMlzqtld8xCOb7Nh04f8bofrzZVLZ0T92FcyFQmt1F4U6DNQqHsn
-AAqxRxUWsC5k2dX9uZ6RCpEzNYWyPvNe24I/Kt01Geoh1NtCns8CVZcrxyMMtZRK
-ZJnYhvNDXDQCDtMJjRBiEXXE++AdA2O6uFoGX3alKwtxAIjGI++pSRlz1GTps26x
-5mmLil5wb3KGBfMN4L0R0heDOeiPQrNv7CwX8OlHtA1OKFBtViWdd/uZ2hAko1Tz
-YkoYpHPQOV5LZ7dem/XNnwwel9g6AkHhLNJv5ih4Y0CQfPBSs+iiLbMHh/NaGDD9
-+kbcf5Lk4FQGVbJDW9nDAXT6jjMyliTI+hIh5fM2k22qbq6OqBkW6EbOQDMP/R2P
-LhFqTgHceNt0mqpcDJdJQ0YKbxVpdkv5f1C4rW+pgUEeHDCQ7vPe4p44xQJ/Z/7Y
-AtPwPKzPPJze2cfoUkZd9jXN9g2v2555xnQZU78IEm1nPVBA+hLIaqN1hu1Lkzxy
-CwFNo7bMVh3FSBmZVtJlcLsyLxZ9UdoaSr+anfA0lWJPiBzE0whQljZp56l1rL1V
-1K8m/dc9rLJ3uDQmYoSRmBZG5zZlVWCip+R9VAHMxRi1x29dFk1jbtQscr63dMI8
-0eOUf28Mw719WWUZVzD08b431DPqWiqrpexUKEXPW8EsrINPfIg180QYt1VUoshs
-Tqi/LKM0OV6nlMGh9ieCK8WzVDW8F16krSLo6eJpIPYPZgkHE7fC7Jws1kpUrSnF
-GgT6rBA97tJ0EalinuFXbip1X087Quz5USURq18f7/B6nFu0Kd4GhlICsR24j3eB
-75SsTNmfUcko8s5QT4rwONEwtRffkGbbNEisCPcleJV68zHvN58mfD7Dl8W3zIO4
-Qk6B1Xy0C4EEniKFfjxIaMEaxrqntBIc+nZE6/+UoGp/Hj9r5ZdzQX2j4837IIdR
-CxT4tjXiWBA6u3WaLAZUSM0W0SEORUF9NwzlId1b8A3WxA8XewhAKPaJEr677vzZ
-083+neUOuXqqs597romLH1omuffxmHxBzmP+koUtemP78XxCBVWUAB1T+fBRJMz6
-9ZEgDWrMntJ1IaFoGdOWZELgwcXJ0KwWFuk+sieZ5WCCzNmFli9WPN/xSqwmdYw6
-RK9er5Vc8D9mAlmGlz2mpAmzNJHH30zYKT/d0XzBS8z6WBRthaTS3NLsiSeWdELH
-b5+WEMOiKvZ19AXU2unHw/XpeVnAISOHhumAqFCwXkjVoMt8LMDawt6ra8N8G+gD
------END RSA PRIVATE KEY-----
diff --git a/tests/resources/pubkey.pem b/tests/resources/pubkey.pem
deleted file mode 100644
index f0dfcea..0000000
--- a/tests/resources/pubkey.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0kWtjpRO7Zh2KX2naVE/
-BDJdrfwK9xexfNA0MkY2VJ4J2AKMYTj1D1jntceryupCEHOvP3rum+WsFvPXduz9
-+VKnSsSqj4jcTUubtpDUGA5G79IqLEPFuSBaqI8Uwkzd08pE+s30oaJDnNazMhSq
-8JkqBPoCCwtUs73ruE9VbtsBO/kTlASIAfe8nXqcJLcDQgWYhizjJw0Pi6d74oCw
-S2OTvQDNvsXfFnA0ZJEEYw/rZLirj7OHoOjz+Sh5N+1uA3Up6SPPEbHuP6L12Yxq
-Hdy7gnJXodLhvE/cR4SN9VW7+qmCMBjmLkBejGrEX3STS9sLI7MZHu9Y26dwuYb4
-+wIDAQAB
------END PUBLIC KEY-----
diff --git a/tests/test-helper.cpp b/tests/test-helper.cpp
index ac17a0d..f6001e7 100644
--- a/tests/test-helper.cpp
+++ b/tests/test-helper.cpp
@@ -36,31 +36,9 @@
namespace Wae {
namespace Test {
-namespace {
const uid_t UID_OWNER = 5001;
-void copy_file(const char *src_path, const char *dst_path)
-{
- std::ifstream src;
- std::ofstream dst;
-
- src.exceptions(std::ifstream::failbit | std::ifstream::badbit);
- dst.exceptions(std::ofstream::failbit | std::ofstream::badbit);
-
- src.open(src_path, std::ifstream::binary);
- dst.open(dst_path, std::ofstream::binary);
-
- dst << src.rdbuf();
-
- // std::ofstream destructor will call close automatically so no need to handle
- // close in the exception cases
- src.close();
- dst.close();
-}
-
-} // namespace anonymous
-
void add_get_remove_ce(wae_app_type_e app_type)
{
const char *pkg_id = "TEST_PKG_ID";
@@ -251,16 +229,9 @@ void remove_dek_store()
void restore_dummy_preloaded_app_dek_keks()
{
- // Generate pri/pub key pair. Private key is protected
- // with assigned password: APP_DEK_KEK_PRIKEY_PASSWORD) which is same to password
- // of real private key because it's built in source of srcs/key_handler.c
- // It should be removed after private key goes into key-manager initial-value.
restore_dek_store();
- copy_file("/opt/share/wae/test/app_dek/prikey.pem", _get_dek_kek_pri_key_path());
- copy_file("/opt/share/wae/test/app_dek/pubkey.pem", _get_dek_kek_pub_key_path());
-
- BOOST_MESSAGE("copying dummy pri/pub key pair to dek store done");
+ BOOST_MESSAGE("Restored dek store done");
}
} // namespace Test