diff options
Diffstat (limited to 'srcs/key_handler.c')
-rw-r--r-- | srcs/key_handler.c | 710 |
1 files changed, 253 insertions, 457 deletions
diff --git a/srcs/key_handler.c b/srcs/key_handler.c index 0cb2776..af7280b 100644 --- a/srcs/key_handler.c +++ b/srcs/key_handler.c @@ -27,112 +27,55 @@ #include <dirent.h> #include <unistd.h> -#include <ckmc/ckmc-manager.h> #include <tzplatform_config.h> #include "wae_log.h" -#include "web_app_enc.h" #include "crypto_service.h" +#include "key_manager.h" +#include "decrypt_migrated_wgt.h" #define RANDOM_FILE "/dev/urandom" #define APP_DEK_KEK_PRIKEY_PASSWORD "wae_appdek_kek_1q2w3e4r" -#define APP_DEK_ALIAS_PFX "APP_DEK_" -#define APP_DEK_LOADING_DONE_ALIAS "APP_DEKS_LOADING_FINISHED" #define APP_DEK_FILE_PFX "WAE_APP_DEK" -#define APP_DEK_KEK_ALIAS "WAE_APP_DEK_KEK" #define DEK_LEN 32 -#define MAX_ALIAS_LEN 256 +#define IV_LEN 16 #define MAX_PKGID_LEN 256 #define MAX_CACHE_SIZE 100 -typedef struct _dek_cache_element { - char pkg_id[MAX_PKGID_LEN]; - unsigned char dek[DEK_LEN]; -} dek_cache_element; +static unsigned char AES_CBC_IV[IV_LEN] = { + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x08, 0x39, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F +}; -dek_cache_element APP_DEK_CACHE[MAX_CACHE_SIZE]; -int NEXT_CACHE_IDX = -1; +static crypto_element_map_s *_map; -void _initialize_cache() +static void deinit_lib(void) __attribute__((destructor)); +static void deinit_lib(void) { - NEXT_CACHE_IDX = 0; - memset(APP_DEK_CACHE, 0, sizeof(dek_cache_element) * MAX_CACHE_SIZE); + crypto_element_map_destroy(_map); } -const unsigned char *_get_app_dek_from_cache(const char *pkg_id) +static const crypto_element_s *_get_app_ce_from_cache(const char *pkg_id) { - if (NEXT_CACHE_IDX < 0) - _initialize_cache(); - - for (size_t i = 0; i < MAX_CACHE_SIZE; i++) { - //WAE_SLOGI("CACHED APP_DEK[%d]=%s", i, APP_DEK_CACHE[i].pkg_id); - if (strncmp(pkg_id, APP_DEK_CACHE[i].pkg_id, MAX_PKGID_LEN) == 0) - return APP_DEK_CACHE[i].dek; - } - - return NULL; + return crypto_element_map_get(_map, pkg_id); } -void _add_app_dek_to_cache(const char *pkg_id, const unsigned char *dek) +static int _add_app_ce_to_cache(const char *pkg_id, crypto_element_s *ce) { - if (NEXT_CACHE_IDX < 0) - _initialize_cache(); - - // if existing one has the same pkgid - for (size_t i = 0; i < MAX_CACHE_SIZE; i++) { - if (strncmp(pkg_id, APP_DEK_CACHE[i].pkg_id, MAX_PKGID_LEN) == 0) { - memcpy(APP_DEK_CACHE[i].dek, dek, DEK_LEN); - return; - } - } - - // for new pkgid - strncpy(APP_DEK_CACHE[NEXT_CACHE_IDX].pkg_id, pkg_id, MAX_PKGID_LEN - 1); - memcpy(APP_DEK_CACHE[NEXT_CACHE_IDX].dek, dek, DEK_LEN); - - ++NEXT_CACHE_IDX; - - if (NEXT_CACHE_IDX >= MAX_CACHE_SIZE) - NEXT_CACHE_IDX = 0; + return crypto_element_map_add(&_map, pkg_id, ce); } -void _remove_app_dek_from_cache(const char *pkg_id) +void _remove_app_ce_from_cache(const char *pkg_id) { - for (size_t i = 0; i < MAX_CACHE_SIZE; i++) { - if (strncmp(pkg_id, APP_DEK_CACHE[i].pkg_id, MAX_PKGID_LEN) == 0) { - memset(APP_DEK_CACHE[i].pkg_id, 0, MAX_PKGID_LEN); - return; - } - } - + crypto_element_map_remove(&_map, pkg_id); } -int _to_wae_error(int key_manager_error) +int _get_random(raw_buffer_s *rb) { - switch (key_manager_error) { - case CKMC_ERROR_NONE: - return WAE_ERROR_NONE; - - case CKMC_ERROR_INVALID_PARAMETER: + if (!is_buffer_valid(rb)) return WAE_ERROR_INVALID_PARAMETER; - case CKMC_ERROR_PERMISSION_DENIED: - return WAE_ERROR_PERMISSION_DENIED; - - case CKMC_ERROR_DB_ALIAS_UNKNOWN: - return WAE_ERROR_NO_KEY; - - case CKMC_ERROR_DB_ALIAS_EXISTS: - return WAE_ERROR_KEY_EXISTS; - - default: - return WAE_ERROR_KEY_MANAGER; - } -} - -int _get_random(size_t length, unsigned char *random) -{ FILE *f = fopen(RANDOM_FILE, "r"); if (f == NULL) { @@ -142,100 +85,95 @@ int _get_random(size_t length, unsigned char *random) size_t i = 0; int ch = 0; - while (i < length && (ch = fgetc(f) != EOF)) - random[i++] = (unsigned char)ch; + while (i < rb->size && (ch = fgetc(f) != EOF)) + rb->buf[i++] = (unsigned char)ch; fclose(f); return WAE_ERROR_NONE; } -void _get_alias(const char *pkg_id, wae_app_type_e app_type, bool forSave, char *alias, size_t buff_len) +static const char *_get_dek_kek_pub_key_path() { - if (app_type == WAE_DOWNLOADED_NORMAL_APP) { - if (forSave) { - snprintf(alias, buff_len, "%s%s", - APP_DEK_ALIAS_PFX, - pkg_id); - } else { - snprintf(alias, buff_len, "%c%s%s%s%s", - '/', INSTALLER_LABEL, - ckmc_owner_id_separator, - APP_DEK_ALIAS_PFX, - pkg_id); - } - } else { // system alias - snprintf(alias, buff_len, "%s%s%s%s", - ckmc_owner_id_system, - ckmc_owner_id_separator, - APP_DEK_ALIAS_PFX, - pkg_id); - } + return tzplatform_mkpath4(TZ_SYS_SHARE, "wae", "app_dek", "WAE_APPDEK_KEK_PublicKey.pem"); } -void _get_dek_kek_alias(char *alias, size_t buff_len) +static const char *_get_dek_kek_pri_key_path() { - snprintf(alias, buff_len, "%s%s%s", - ckmc_owner_id_system, - ckmc_owner_id_separator, - APP_DEK_KEK_ALIAS); + return tzplatform_mkpath4(TZ_SYS_SHARE, "wae", "app_dek", "WAE_APPDEK_KEK_PrivateKey.pem"); } -void _get_dek_loading_done_alias(char *alias, size_t buff_len) +static const char *_get_dek_store_path() { - snprintf(alias, buff_len, "%s%s%s", - ckmc_owner_id_system, - ckmc_owner_id_separator, - APP_DEK_LOADING_DONE_ALIAS); + return tzplatform_mkpath3(TZ_SYS_SHARE, "wae", "app_dek"); } -const char *_get_dek_kek_pub_key_path() +static int _write_to_file(const char *path, const raw_buffer_s *data) { - return tzplatform_mkpath4(TZ_SYS_SHARE, "wae", "app_dek", "WAE_APPDEK_KEK_PublicKey.pem"); -} + if (path == NULL || data == NULL || data->buf == NULL || data->size == 0) + return WAE_ERROR_INVALID_PARAMETER; -const char *_get_dek_kek_pri_key_path() -{ - return tzplatform_mkpath4(TZ_SYS_SHARE, "wae", "app_dek", "WAE_APPDEK_KEK_PrivateKey.pem"); -} + FILE *f = fopen(path, "w"); -const char *_get_dek_store_path() -{ - return tzplatform_mkpath3(TZ_SYS_SHARE, "wae", "app_dek"); + if (f == NULL) { + WAE_SLOGE("WAE: Fail to open a file. file=%s", path); + return WAE_ERROR_FILE; + } + + int write_len = fwrite(data->buf, 1, data->size, f); + + fclose(f); + + if (write_len != (int)data->size) { + WAE_SLOGE("WAE: Fail to write a file. file=%s", path); + return WAE_ERROR_FILE; + } + + return WAE_ERROR_NONE; } -int _add_dek_to_key_manager(const char *pkg_id, wae_app_type_e app_type, const unsigned char *dek, size_t dek_len) +static int _read_from_file(const char *path, raw_buffer_s **pdata) { int ret = WAE_ERROR_NONE; - char alias[MAX_ALIAS_LEN] = {0, }; - ckmc_raw_buffer_s buff; - ckmc_policy_s policy; - - buff.data = (unsigned char *)dek; - buff.size = dek_len; + raw_buffer_s *data = NULL; + int ch = 0; + int i = 0; - policy.password = NULL; - policy.extractable = true; + FILE *f = fopen(path, "r"); - _get_alias(pkg_id, app_type, true, alias, sizeof(alias)); + if (f == NULL) { + WAE_SLOGE("Failed to open a file. file=%s", path); + return WAE_ERROR_FILE; + } - // even if it fails to remove, ignore it. - ckmc_remove_alias(alias); + fseek(f, 0, SEEK_END); // move to the end of a file + int file_len = ftell(f); - ret = _to_wae_error(ckmc_save_data(alias, buff, policy)); - if (ret != WAE_ERROR_NONE) { - WAE_SLOGE("WAE: Fail to add APP_DEK to key-manager. pkg_id=%s, alias=%s, ret=%d", pkg_id, alias, ret); - return ret; + if (file_len <= 0) { + WAE_SLOGE("Failed to get file size by ftell. ret: %d", file_len); + ret = WAE_ERROR_FILE; + goto error; } - // share app_dek for web app laucher to use app_dek - ret = _to_wae_error(ckmc_set_permission(alias, pkg_id, CKMC_PERMISSION_READ)); - if (ret != WAE_ERROR_NONE) { - WAE_SLOGE("WAE: Fail to set_permission to APP_DEK. pkg_id=%s, ret=%d", pkg_id, ret); - return ret; + fseek(f, 0, SEEK_SET); // move to the start of a file + + data = buffer_create(file_len); + if (data == NULL) { + WAE_SLOGE("Failed to allocate memory for encrypted_dek"); + ret = WAE_ERROR_MEMORY; + goto error; } - WAE_SLOGI("WAE: Success to add APP_DEK to key-manager. pkg_id=%s, alias=%s", pkg_id, alias); + while ((ch = fgetc(f)) != EOF) + data->buf[i++] = (char)ch; + + *pdata = data; + +error: + fclose(f); + + if (ret != WAE_ERROR_NONE) + buffer_destroy(data); return ret; } @@ -251,7 +189,7 @@ int _get_preloaded_app_dek_file_path(const char *pkg_id, size_t size, char *path return WAE_ERROR_NONE; } -int _extract_pkg_id_from_file_name(const char *file_name, char *pkg_id) +static int _extract_pkg_id_from_file_name(const char *file_name, char *pkg_id) { char *start = strstr(file_name, APP_DEK_FILE_PFX); @@ -274,238 +212,172 @@ int _extract_pkg_id_from_file_name(const char *file_name, char *pkg_id) return WAE_ERROR_NONE; } -int _read_encrypted_app_dek_from_file(const char *pkg_id, unsigned char **pencrypted_app_dek, size_t *pencrypted_app_dek_len) +int _read_encrypted_app_dek_from_file(const char *pkg_id, raw_buffer_s **pencrypted) { char path[MAX_PATH_LEN] = {0,}; _get_preloaded_app_dek_file_path(pkg_id, sizeof(path), path); - return _read_from_file(path, pencrypted_app_dek, pencrypted_app_dek_len); + return _read_from_file(path, pencrypted); } -int _write_encrypted_app_dek_to_file(const char *pkg_id, const unsigned char *encrypted_app_dek, size_t encrypted_app_dek_len) +int _write_encrypted_app_dek_to_file(const char *pkg_id, const raw_buffer_s *encrypted) { char path[MAX_PATH_LEN] = {0,}; _get_preloaded_app_dek_file_path(pkg_id, sizeof(path), path); - return _write_to_file(path, encrypted_app_dek, encrypted_app_dek_len); + return _write_to_file(path, encrypted); } -int _read_from_file(const char *path, unsigned char **pdata, size_t *pdata_len) +int get_app_ce(const char *pkg_id, wae_app_type_e app_type, bool create_for_migrated_app, + const crypto_element_s **pce) { - int ret = WAE_ERROR_NONE; - unsigned char *file_contents = NULL; - int ch = 0; - int i = 0; - - FILE *f = fopen(path, "r"); + if (pkg_id == NULL || pce == NULL) + return WAE_ERROR_INVALID_PARAMETER; - if (f == NULL) { - WAE_SLOGE("WAE: Fail to open a file. file=%s", path); - return WAE_ERROR_FILE; + const crypto_element_s *cached_ce = _get_app_ce_from_cache(pkg_id); + if (cached_ce != NULL) { + WAE_SLOGD("cache hit of app ce for pkg_id(%s)", pkg_id); + *pce = cached_ce; + return WAE_ERROR_NONE; } - fseek(f, 0, SEEK_END); // move to the end of a file - int file_len = ftell(f); + WAE_SLOGD("cache miss of app ce for pkg_id(%s)", pkg_id); - if (file_len <= 0) { - WAE_SLOGE("WAE: Failed to get file size by ftell. ret: %d", file_len); - ret = WAE_ERROR_FILE; - goto error; - } + crypto_element_s *ce = NULL; + int ret = get_from_key_manager(pkg_id, app_type, &ce); - fseek(f, 0, SEEK_SET); // move to the start of a file + if (create_for_migrated_app && + (ret == WAE_ERROR_NO_KEY && app_type == WAE_DOWNLOADED_GLOBAL_APP)) { + WAE_SLOGI("No dek found for pkg_id(%s)! It should be migrated app.", pkg_id); - file_contents = (unsigned char *)malloc(file_len); + if ((ret = get_old_ss_crypto_element(pkg_id, &ce)) != WAE_ERROR_NONE) + goto error; - if (file_contents == NULL) { - WAE_SLOGE("WAE: Fail to allocate memory for encrypted_app_dek"); - ret = WAE_ERROR_MEMORY; + // (k.tak) disable to save ce to key-maanger for migrated app because of permission issue. + //ret = save_to_key_manager(pkg_id, app_type, ce); + //if (ret != WAE_ERROR_NONE) { + // WAE_SLOGW("Failed to save migrated app ce to key-manager with ret(%d). " + // "Ignore this error because we can create ce later again.", ret); + // ret = WAE_ERROR_NONE; + //} + } else if (ret != WAE_ERROR_NONE) { + WAE_SLOGE("Failed to get crypto element from key-manager. pkg_id=%s, ret=%d", + pkg_id, ret); goto error; } - memset(file_contents, 0x00, file_len); + ret = _add_app_ce_to_cache(pkg_id, ce); + if (ret != WAE_ERROR_NONE) { + WAE_SLOGE("Failed to add ce to cache for pkg_id(%s) ret(%d)", pkg_id, ret); + goto error; + } - while ((ch = fgetc(f)) != EOF) - file_contents[i++] = (char)ch; + *pce = ce; - *pdata = file_contents; - *pdata_len = file_len; + WAE_SLOGD("Successfully get ce! pkgid(%s)", pkg_id); -error: - fclose(f); + return WAE_ERROR_NONE; - if (ret != WAE_ERROR_NONE) - free(file_contents); +error: + crypto_element_destroy(ce); return ret; } -int _write_to_file(const char *path, const unsigned char *data, size_t data_len) +int create_app_ce(const char *pkg_id, wae_app_type_e app_type, const crypto_element_s **pce) { - FILE *f = fopen(path, "w"); + raw_buffer_s *dek = buffer_create(DEK_LEN); + raw_buffer_s *iv = buffer_create(IV_LEN); + crypto_element_s *ce = crypto_element_create(dek, iv); - if (f == NULL) { - WAE_SLOGE("WAE: Fail to open a file. file=%s", path); - return WAE_ERROR_FILE; - } - - int write_len = fwrite(data, 1, data_len, f); - - fclose(f); - - if (write_len != (int)data_len) { - WAE_SLOGE("WAE: Fail to write a file. file=%s", path); - return WAE_ERROR_FILE; - } - - return WAE_ERROR_NONE; -} - -int get_app_dek(const char *pkg_id, wae_app_type_e app_type, unsigned char **pdek, size_t *pdek_len) -{ int ret = WAE_ERROR_NONE; - ckmc_raw_buffer_s *dek_buffer = NULL; - char alias[MAX_ALIAS_LEN] = {0, }; - - const unsigned char *cached_dek = _get_app_dek_from_cache(pkg_id); - - if (cached_dek == NULL) { - // get APP_DEK from system database - _get_alias(pkg_id, app_type, false, alias, sizeof(alias)); - - ret = _to_wae_error(ckmc_get_data(alias, NULL, &dek_buffer)); - - if (ret != WAE_ERROR_NONE) { - WAE_SLOGE("Failed to get APP_DEK from key-manager. pkg_id=%s, alias=%s, ret=%d", - pkg_id, alias, ret); - goto error; - } else if (dek_buffer == NULL || dek_buffer->data == NULL) { - WAE_SLOGE("key-manager success but buffer is null for getting dek of pkg_id=%s", - pkg_id); - ret = WAE_ERROR_KEY_MANAGER; - goto error; - } else if (dek_buffer->size != DEK_LEN) { - WAE_SLOGE("DEK's length which has been saved in key-manager is not valid!"); - ret = WAE_ERROR_KEY_MANAGER; - goto error; - } - - WAE_SLOGD("Successfully get dek from key-manager for pkgid=%s", pkg_id); - cached_dek = dek_buffer->data; - } - - unsigned char *dek = (unsigned char *)malloc(DEK_LEN); - - if (dek == NULL) { - WAE_SLOGE("Fail to allocate a memory"); + if (ce == NULL) { ret = WAE_ERROR_MEMORY; goto error; } - memcpy(dek, cached_dek, DEK_LEN); - - *pdek = dek; - *pdek_len = DEK_LEN; - - WAE_SLOGI("WAE: Success to get APP_DEK from key-manager. pkg_id=%s, alias=%s", - pkg_id, alias); - -error: - ckmc_buffer_free(dek_buffer); - - if (ret != WAE_ERROR_NONE) - free(dek); - - return ret; -} - -int create_app_dek(const char *pkg_id, wae_app_type_e app_type, unsigned char **pdek, size_t *pdek_len) -{ - unsigned char *dek = (unsigned char *)malloc(DEK_LEN); - - if (dek == NULL) - return WAE_ERROR_MEMORY; - - int ret = _get_random(DEK_LEN, dek); + memcpy(ce->iv->buf, AES_CBC_IV, ce->iv->size); + ret = _get_random(dek); if (ret != WAE_ERROR_NONE) { - WAE_SLOGE("WAE: Fail to get random for APP_DEK. pkg_id=%s, ret=%d", pkg_id, ret); + WAE_SLOGE("Failed to get random for dek. pkg_id(%s) ret(%d)", pkg_id, ret); goto error; } - // save app_dek in key_manager - ret = _add_dek_to_key_manager(pkg_id, app_type, dek, DEK_LEN); - + ret = save_to_key_manager(pkg_id, app_type, ce); if (ret != WAE_ERROR_NONE) { + WAE_SLOGE("Failed to save ce to key-manager. pkg_id(%s) app_type(%d) ret(%d)", + pkg_id, app_type, ret); goto error; } - // store APP_DEK in cache - _add_app_dek_to_cache(pkg_id, dek); + ret = _add_app_ce_to_cache(pkg_id, ce); + if (ret != WAE_ERROR_NONE) { + WAE_SLOGE("Failed to add ce to cache for pkg_id(%s) ret(%d)", pkg_id, ret); + goto error; + } - *pdek = dek; - *pdek_len = DEK_LEN; + *pce = ce; - WAE_SLOGI("WAE: Success to create APP_DEK and store it in key-manager. pkg_id=%s", pkg_id); + WAE_SLOGI("Success to create dek/iv and store it in key-manager. pkg_id(%s)", pkg_id); return WAE_ERROR_NONE; error: - free(dek); + if (ce == NULL) { + buffer_destroy(dek); + buffer_destroy(iv); + } else { + crypto_element_destroy(ce); + } return ret; } -int get_preloaded_app_dek(const char *pkg_id, unsigned char **pdek, size_t *pdek_len) +int get_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce) { - const unsigned char *cached_dek = _get_app_dek_from_cache(pkg_id); + const crypto_element_s *cached_ce = _get_app_ce_from_cache(pkg_id); - if (cached_dek == NULL) { + if (cached_ce == NULL) { WAE_SLOGE("WAE: Fail to get APP_DEK from cache for preloaded app"); return WAE_ERROR_NO_KEY; } - unsigned char *dek = (unsigned char *)malloc(DEK_LEN); - - if (dek == NULL) { - WAE_SLOGE("WAE: Fail to allocate memory for preloaded app dek"); - return WAE_ERROR_MEMORY; - } - - memcpy(dek, cached_dek, DEK_LEN); - - *pdek = dek; - *pdek_len = DEK_LEN; + *pce = cached_ce; return WAE_ERROR_NONE; } -int create_preloaded_app_dek(const char *pkg_id, unsigned char **pdek, size_t *pdek_len) +int create_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce) { - unsigned char *encrypted_app_dek = NULL; - size_t encrypted_app_dek_len = 0; - unsigned char *pubkey = NULL; - size_t pubkey_len = 0; + raw_buffer_s *encrypted_app_dek = NULL; + raw_buffer_s *pubkey = NULL; + raw_buffer_s *dek = buffer_create(DEK_LEN); + raw_buffer_s *iv = buffer_create(sizeof(AES_CBC_IV)); + crypto_element_s *ce = crypto_element_create(dek, iv); - // create APP_DEK - unsigned char *dek = (unsigned char *)malloc(DEK_LEN); + int ret = WAE_ERROR_NONE; - if (dek == NULL) - return WAE_ERROR_MEMORY; + if (dek == NULL || iv == NULL || ce == NULL) { + ret = WAE_ERROR_MEMORY; + goto error; + } - int ret = _get_random(DEK_LEN, dek); + ret = _get_random(dek); if (ret != WAE_ERROR_NONE) goto error; - // encrypt APP_DEK with APP_DEK_KEK - ret = _read_from_file(_get_dek_kek_pub_key_path(), &pubkey, &pubkey_len); + // copy default iv for preloaded app + memcpy(iv->buf, AES_CBC_IV, sizeof(AES_CBC_IV)); + + ret = _read_from_file(_get_dek_kek_pub_key_path(), &pubkey); if (ret != WAE_ERROR_NONE) { WAE_SLOGE("WAE: Fail to read APP_DEK_KEK Public Key"); goto error; } - ret = encrypt_app_dek(pubkey, pubkey_len, dek, DEK_LEN, &encrypted_app_dek, &encrypted_app_dek_len); + ret = encrypt_app_dek(pubkey, dek, &encrypted_app_dek); if (ret != WAE_ERROR_NONE) { WAE_SLOGE("WAE: Fail to encrypt APP_DEK with APP_DEK_KEK"); @@ -513,139 +385,48 @@ int create_preloaded_app_dek(const char *pkg_id, unsigned char **pdek, size_t *p } // write APP_DEK in a file - ret = _write_encrypted_app_dek_to_file(pkg_id, encrypted_app_dek, encrypted_app_dek_len); + ret = _write_encrypted_app_dek_to_file(pkg_id, encrypted_app_dek); if (ret != WAE_ERROR_NONE) { - WAE_SLOGE("WAE: Fail to write encrypted APP_DEK. pkg_id=%s", pkg_id); + WAE_SLOGE("Failed to write encrypted dek to file. pkg_id(%s)", pkg_id); goto error; } // store APP_DEK in cache - _add_app_dek_to_cache(pkg_id, dek); - - *pdek = dek; - *pdek_len = DEK_LEN; - WAE_SLOGI("WAE: Success to create preleaded APP_DEK and write it in initail value file. pkg_id=%s", pkg_id); - -error: - free(pubkey); - free(encrypted_app_dek); - - if (ret != WAE_ERROR_NONE) - free(dek); - - return ret; -} - -int _get_app_dek_kek(unsigned char **pdek_kek, size_t *pdek_kek_len) -{ - int ret = _read_from_file(_get_dek_kek_pri_key_path(), pdek_kek, pdek_kek_len); - - if (ret != WAE_ERROR_NONE) { - WAE_SLOGE("WAE: Fail to read APP_DEK_KEK Private Key"); - return ret; - } - -#if 0 - ckmc_raw_buffer_s *kek_buffer = NULL; - unsigned char* kek = NULL; - - char dek_kek_alias[MAX_ALIAS_LEN] = {0, }; - _get_dek_kek_alias(dek_kek_alias, sizeof(dek_kek_alias)); - - ret = _to_wae_error(ckmc_get_data(dek_kek_alias, NULL, &kek_buffer)); + _add_app_ce_to_cache(pkg_id, ce); if (ret != WAE_ERROR_NONE) { - WAE_SLOGE("Fail to get APP_DEK_KEK from key-manager. alias=%s, ret=%d", - APP_DEK_KEK_ALIAS, ret); - goto error; + WAE_SLOGE("Failed to add ce to cache for pkg_id(%s) ret(%d)", pkg_id, ret); + goto error; } - kek = (unsigned char *)malloc(kek_buffer->size); - if(kek == NULL) { - WAE_SLOGE("Fail to allocate a memory"); - ret = WAE_ERROR_MEMORY; - goto error; - } - memcpy(kek, kek_buffer->data, kek_buffer->size); + *pce = ce; - *pdek_kek = kek; - *pdek_kek_len = kek_buffer->size; - WAE_SLOGI("Success to get APP_DEK_KEK from key-manager."); + WAE_SLOGI("Success to create preleaded dek and write it in initial value file. " + "pkg_id(%s)", pkg_id); error: - ckmc_buffer_free(kek_buffer); - free(kek); -#endif - - return ret; -} - -int _get_app_deks_loaded() -{ - char loading_done_alias[MAX_ALIAS_LEN] = {0, }; - _get_dek_loading_done_alias(loading_done_alias, sizeof(loading_done_alias)); - - ckmc_raw_buffer_s *buffer = NULL; - int ret = _to_wae_error(ckmc_get_data(loading_done_alias, NULL, &buffer)); - - if (ret == WAE_ERROR_NO_KEY) - WAE_SLOGI("WAE: APP_DEK_LOADING was not done"); - else if (ret == WAE_ERROR_NONE) - WAE_SLOGI("WAE: APP_DEK_LOADING was already done"); - else - WAE_SLOGE("WAE: Fail to get information from key-manager about APP_DEK_LOADING_DONE_ALIAS. ret=%d", ret); - - ckmc_buffer_free(buffer); + buffer_destroy(encrypted_app_dek); + buffer_destroy(pubkey); - return ret; -} - -int _set_app_deks_loaded() -{ - ckmc_raw_buffer_s buff; - ckmc_policy_s policy; - unsigned char dummy_data[1] = {0}; - - buff.data = dummy_data; - buff.size = sizeof(dummy_data); - - policy.password = NULL; - policy.extractable = true; - - char loading_done_alias[MAX_ALIAS_LEN] = {0, }; - _get_dek_loading_done_alias(loading_done_alias, sizeof(loading_done_alias)); - - int ret = _to_wae_error(ckmc_save_data(loading_done_alias, buff, policy)); - - if (ret == WAE_ERROR_KEY_EXISTS) { - WAE_SLOGI("WAE: APP_DEK_LOADING was already done"); - ret = WAE_ERROR_NONE; - } else if (ret == WAE_ERROR_NONE) { - WAE_SLOGI("Success to set APP_DEK_LOADING_DONE_ALIAS to key-manager."); - } else { - WAE_SLOGE("WAE: Fail to set APP_DEK_LOADING_DONE_ALIAS to key-manager. ret=%d", ret); + if (ret != WAE_ERROR_NONE) { + if (ce) { + crypto_element_destroy(ce); + } else { + buffer_destroy(dek); + buffer_destroy(iv); + } } return ret; } -int _clear_app_deks_loaded() +int _get_app_dek_kek(raw_buffer_s **pdek_kek) { - char loading_done_alias[MAX_ALIAS_LEN] = {0, }; - _get_dek_loading_done_alias(loading_done_alias, sizeof(loading_done_alias)); - - int ret = _to_wae_error(ckmc_remove_alias(loading_done_alias)); - - if (ret == WAE_ERROR_NO_KEY) { - WAE_SLOGI("APP_DEK_LOADING_DONE_ALIAS was not set to key-manager before."); - ret = WAE_ERROR_NONE; - } else if (ret == WAE_ERROR_NONE) { - WAE_SLOGI("Success to clear app deks loaded"); - } else { - WAE_SLOGE("Fail to clear APP_DEK_LOADING_DONE_ALIAS to key-manager. ret=%d", ret); - } - - return ret; +#if 0 + return get_dek_kek_from_key_manager(pdek_kek); +#else + return _read_from_file(_get_dek_kek_pri_key_path(), pdek_kek); +#endif } int load_preloaded_app_deks(bool reload) @@ -655,24 +436,23 @@ int load_preloaded_app_deks(bool reload) char pkg_id[MAX_PKGID_LEN] = {0, }; char file_path_buff[MAX_PATH_LEN]; - unsigned char *encrypted_app_dek = NULL; - size_t encrypted_app_dek_len = 0; - unsigned char *app_dek = NULL; - size_t app_dek_len = 0; - unsigned char *prikey = NULL; - size_t prikey_len = 0; + raw_buffer_s *encrypted_dek = NULL; + raw_buffer_s *dek = NULL; + raw_buffer_s *iv = NULL; + raw_buffer_s *prikey = NULL; + crypto_element_s *ce = NULL; int error_during_loading = 0; if (!reload) { // check if all deks were already loaded into key-manager. - ret = _get_app_deks_loaded(); + ret = is_app_deks_loaded_in_key_manager(); if (ret == WAE_ERROR_NONE) return ret; } - ret = _get_app_dek_kek(&prikey, &prikey_len); + ret = _get_app_dek_kek(&prikey); if (ret != WAE_ERROR_NONE) { WAE_SLOGE("Fail to get APP_DEK_KEK Private Key"); @@ -706,7 +486,6 @@ int load_preloaded_app_deks(bool reload) if (entry.d_type != DT_REG || strstr(entry.d_name, APP_DEK_FILE_PFX) == NULL) continue; - memset(file_path_buff, 0, sizeof(file_path_buff)); ret = snprintf(file_path_buff, sizeof(file_path_buff), "%s/%s", _get_dek_store_path(), entry.d_name); @@ -719,75 +498,92 @@ int load_preloaded_app_deks(bool reload) ret = _extract_pkg_id_from_file_name(entry.d_name, pkg_id); if (ret != WAE_ERROR_NONE) { - WAE_SLOGW("Fail to extract pkgid from file. It will be ignored. file=%s", file_path_buff); + WAE_SLOGW("Failed to extract pkgid from file. It will be ignored. file=%s", + file_path_buff); continue; } - ret = _read_from_file(file_path_buff, &encrypted_app_dek, &encrypted_app_dek_len); + ret = _read_from_file(file_path_buff, &encrypted_dek); - if (ret != WAE_ERROR_NONE || encrypted_app_dek == NULL) { - error_during_loading++; - WAE_SLOGW("Fail to read file. It will be ignored. file=%s", file_path_buff); + if (ret != WAE_ERROR_NONE || encrypted_dek == NULL) { + ++error_during_loading; + WAE_SLOGW("Failed to read file. It will be ignored. file=%s", file_path_buff); continue; } - ret = decrypt_app_dek(prikey, prikey_len, APP_DEK_KEK_PRIKEY_PASSWORD, - encrypted_app_dek, encrypted_app_dek_len, - &app_dek, &app_dek_len); + ret = decrypt_app_dek(prikey, APP_DEK_KEK_PRIKEY_PASSWORD, encrypted_dek, &dek); - if (ret != WAE_ERROR_NONE || app_dek == NULL) { - error_during_loading++; - WAE_SLOGW("Fail to decrypt APP DEK. It will be ignored. file=%s", file_path_buff); + buffer_destroy(encrypted_dek); + encrypted_dek = NULL; + + if (ret != WAE_ERROR_NONE || dek == NULL) { + ++error_during_loading; + WAE_SLOGW("Failed to decrypt dek. It will be ignored. file=%s", + file_path_buff); continue; } + iv = buffer_create(IV_LEN); + if (iv == NULL) { + ++error_during_loading; + buffer_destroy(dek); + dek = NULL; + continue; + } + + memcpy(iv->buf, AES_CBC_IV, iv->size); - // save app_dek in key_manager - ret = _add_dek_to_key_manager(pkg_id, WAE_PRELOADED_APP, app_dek, app_dek_len); - // free temp objects - free(app_dek); - free(encrypted_app_dek); - app_dek = NULL; - encrypted_app_dek = NULL; + ce = crypto_element_create(dek, iv); + if (ce == NULL) { + ++error_during_loading; + buffer_destroy(iv); + iv = NULL; + buffer_destroy(dek); + dek = NULL; + continue; + } + + ret = save_to_key_manager(pkg_id, WAE_PRELOADED_APP, ce); if (ret == WAE_ERROR_KEY_EXISTS) { - WAE_SLOGI("Key Manager already has APP_DEK. It will be ignored. file=%s", file_path_buff); + WAE_SLOGI("Key Manager already has dek. It will be ignored. file=%s", + file_path_buff); } else if (ret != WAE_ERROR_NONE) { - error_during_loading++; + ++error_during_loading; WAE_SLOGW("Fail to add APP DEK to key-manager. file=%s", file_path_buff); } + + crypto_element_destroy(ce); + ce = NULL; } - ret = _set_app_deks_loaded(); + ret = set_app_deks_loaded_to_key_manager(); - if (ret == WAE_ERROR_NONE) { - WAE_SLOGI("Success to load_preloaded_app_deks"); - ret = WAE_ERROR_NONE; - } else { - WAE_SLOGW("Fail to _set_app_deks_loaded to key-manager. ret=%d", ret); +error: + if (ret != WAE_ERROR_NONE) { + if (ce) { + crypto_element_destroy(ce); + } else { + buffer_destroy(dek); + buffer_destroy(iv); + } } -error: - free(prikey); + buffer_destroy(prikey); closedir(dir); return ret; } -int remove_app_dek(const char *pkg_id, wae_app_type_e app_type) +int remove_app_ce(const char *pkg_id, wae_app_type_e app_type) { - char alias[MAX_ALIAS_LEN] = {0,}; - - _get_alias(pkg_id, app_type, true, alias, sizeof(alias)); - - int ret = _to_wae_error(ckmc_remove_alias(alias)); + int ret = remove_from_key_manager(pkg_id, app_type); - if (ret != WAE_ERROR_NONE) { - WAE_SLOGE("Fail to remove APP_DEK from key-manager. pkg_id=%s, alias=%s, ret=%d", pkg_id, alias, ret); - return ret; - } + if (ret != WAE_ERROR_NONE) + WAE_SLOGE("Failed to remove app ce for pkg_id(%s) ret(%d)", pkg_id, ret); + else + WAE_SLOGI("Success to remove app ce for pkg_id(%s)", pkg_id); - _remove_app_dek_from_cache(pkg_id); - WAE_SLOGI("Success to remove APP_DEK from key-manager. pkg_id=%s", pkg_id); + _remove_app_ce_from_cache(pkg_id); - return WAE_ERROR_NONE; + return ret; } |