From fd2d39061c3fde9b2faba0a4146eb79114c29660 Mon Sep 17 00:00:00 2001 From: Dongsun Lee Date: Sat, 19 Jan 2019 21:21:20 +0900 Subject: Replace DEK_KEK from RSA key to AES key Change-Id: I5a5b6935ee1908bd9be7edf0087fcd17d61b9fd2 Signed-off-by: Dongsun Lee --- CMakeLists.txt | 5 + packaging/libwebappenc.spec | 2 - resources/CMakeLists.txt | 7 +- resources/README_APP_DEK | 2 +- resources/WAE_APPDEK_KEK_PrivateKey.pem | 30 ----- resources/WAE_APPDEK_KEK_PublicKey.pem | 9 -- srcs/crypto_service.c | 195 +++++++------------------------- srcs/crypto_service.h | 7 +- srcs/key_handler.c | 79 ++----------- srcs/key_handler.h | 3 +- srcs/key_manager.c | 49 -------- tests/CMakeLists.txt | 1 - tests/internals.cpp | 64 +---------- tests/resources/CMakeLists.txt | 19 ---- tests/resources/prikey.pem | 30 ----- tests/resources/pubkey.pem | 9 -- tests/test-helper.cpp | 31 +---- 17 files changed, 74 insertions(+), 468 deletions(-) delete mode 100644 resources/WAE_APPDEK_KEK_PrivateKey.pem delete mode 100644 resources/WAE_APPDEK_KEK_PublicKey.pem delete mode 100644 tests/resources/CMakeLists.txt delete mode 100644 tests/resources/prikey.pem delete mode 100644 tests/resources/pubkey.pem diff --git a/CMakeLists.txt b/CMakeLists.txt index 27a4fee..2d1f806 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -57,6 +57,11 @@ ADD_DEFINITIONS("-DSMACK_ENABLED") ADD_DEFINITIONS("-DSQLCIPHER_HAS_CODEC") ADD_DEFINITIONS("-DBINDIR=\"${BINDIR}\"") +# Set seed for dek_kek +STRING(TIMESTAMP SEED "%Y%m%d_%H:%M:%S") +ADD_DEFINITIONS("-DDEK_KEK_SEED=\"${SEED}\"") + + # IF (CMAKE_BUILD_TYPE MATCHES "DEBUG") ADD_DEFINITIONS("-DTIZEN_DEBUG_ENABLE") ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG") diff --git a/packaging/libwebappenc.spec b/packaging/libwebappenc.spec index 8db7728..8b0bea6 100644 --- a/packaging/libwebappenc.spec +++ b/packaging/libwebappenc.spec @@ -96,7 +96,6 @@ fi %{bin_dir}/wae_initializer %dir %attr(770, %user_name, %group_name) %{rw_share_dir}/wae %dir %attr(770, %user_name, %group_name) %{rw_share_dir}/wae/app_dek -%attr(660, %user_name, %group_name) %{rw_share_dir}/wae/app_dek/* %files devel %{_includedir}/* @@ -109,4 +108,3 @@ fi %license LICENSE.BSL-1.0 %{bin_dir}/wae_tests %{_libdir}/libwae_tests_common.so* -%attr(660, %user_name, %group_name) %{rw_share_dir}/wae/test/app_dek/* diff --git a/resources/CMakeLists.txt b/resources/CMakeLists.txt index ffc566e..2fb09cc 100644 --- a/resources/CMakeLists.txt +++ b/resources/CMakeLists.txt @@ -16,10 +16,7 @@ # @author Dongsun Lee (ds73.lee@samsung.com) # @brief Resource install cmake # -INSTALL(FILES - WAE_APPDEK_KEK_PublicKey.pem - WAE_APPDEK_KEK_PrivateKey.pem + +INSTALL(DIRECTORY DESTINATION ${RW_SHARE_DIR}/wae/app_dek - PERMISSIONS OWNER_READ - OWNER_WRITE ) diff --git a/resources/README_APP_DEK b/resources/README_APP_DEK index 724b8c2..81667fb 100644 --- a/resources/README_APP_DEK +++ b/resources/README_APP_DEK @@ -1 +1 @@ -The directory, app_dek, contains APP_DEK files encrypted with APP_DEK_KEK public key. +The directory, app_dek, contains APP_DEK files encrypted with APP_DEK_KEK key. diff --git a/resources/WAE_APPDEK_KEK_PrivateKey.pem b/resources/WAE_APPDEK_KEK_PrivateKey.pem deleted file mode 100644 index e27950c..0000000 --- a/resources/WAE_APPDEK_KEK_PrivateKey.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,F4C783D75B0679F29398E9A3CAB4733D - -kxgW1wGX3TZZ/wtv3g4AOLlZCHoQ6uXVQ0h2ofWjnJs8tas/alR6o8UBRIqCw44t -znUvQ8HlThvzhGgxje/yDDSxCy9mqhgsi2XeTtAeUbMhFL6UArb3cs6M4a37lYoT -llZdFyYkRWJ3vRS33TDrhXDV6GjZWQ05SJ0OYdPJsmA1ENwdH+5NE/xLnqLdTtWr -O3Mn2vi6P9CVqZroCvYBzUaypGcmFhjTIbWmB6inXjoXyddzerh7PTDBDWWacBab -C7gcZC5SrK5YOt6f54ANsVQO8jnkLDx95gUSHYthX1hrQ3Da5Gb6nfYP9RNrHCum -O8RKxSOvv8zwbMlzqtld8xCOb7Nh04f8bofrzZVLZ0T92FcyFQmt1F4U6DNQqHsn -AAqxRxUWsC5k2dX9uZ6RCpEzNYWyPvNe24I/Kt01Geoh1NtCns8CVZcrxyMMtZRK -ZJnYhvNDXDQCDtMJjRBiEXXE++AdA2O6uFoGX3alKwtxAIjGI++pSRlz1GTps26x -5mmLil5wb3KGBfMN4L0R0heDOeiPQrNv7CwX8OlHtA1OKFBtViWdd/uZ2hAko1Tz -YkoYpHPQOV5LZ7dem/XNnwwel9g6AkHhLNJv5ih4Y0CQfPBSs+iiLbMHh/NaGDD9 -+kbcf5Lk4FQGVbJDW9nDAXT6jjMyliTI+hIh5fM2k22qbq6OqBkW6EbOQDMP/R2P -LhFqTgHceNt0mqpcDJdJQ0YKbxVpdkv5f1C4rW+pgUEeHDCQ7vPe4p44xQJ/Z/7Y -AtPwPKzPPJze2cfoUkZd9jXN9g2v2555xnQZU78IEm1nPVBA+hLIaqN1hu1Lkzxy -CwFNo7bMVh3FSBmZVtJlcLsyLxZ9UdoaSr+anfA0lWJPiBzE0whQljZp56l1rL1V -1K8m/dc9rLJ3uDQmYoSRmBZG5zZlVWCip+R9VAHMxRi1x29dFk1jbtQscr63dMI8 -0eOUf28Mw719WWUZVzD08b431DPqWiqrpexUKEXPW8EsrINPfIg180QYt1VUoshs -Tqi/LKM0OV6nlMGh9ieCK8WzVDW8F16krSLo6eJpIPYPZgkHE7fC7Jws1kpUrSnF -GgT6rBA97tJ0EalinuFXbip1X087Quz5USURq18f7/B6nFu0Kd4GhlICsR24j3eB -75SsTNmfUcko8s5QT4rwONEwtRffkGbbNEisCPcleJV68zHvN58mfD7Dl8W3zIO4 -Qk6B1Xy0C4EEniKFfjxIaMEaxrqntBIc+nZE6/+UoGp/Hj9r5ZdzQX2j4837IIdR -CxT4tjXiWBA6u3WaLAZUSM0W0SEORUF9NwzlId1b8A3WxA8XewhAKPaJEr677vzZ -083+neUOuXqqs597romLH1omuffxmHxBzmP+koUtemP78XxCBVWUAB1T+fBRJMz6 -9ZEgDWrMntJ1IaFoGdOWZELgwcXJ0KwWFuk+sieZ5WCCzNmFli9WPN/xSqwmdYw6 -RK9er5Vc8D9mAlmGlz2mpAmzNJHH30zYKT/d0XzBS8z6WBRthaTS3NLsiSeWdELH -b5+WEMOiKvZ19AXU2unHw/XpeVnAISOHhumAqFCwXkjVoMt8LMDawt6ra8N8G+gD ------END RSA PRIVATE KEY----- diff --git a/resources/WAE_APPDEK_KEK_PublicKey.pem b/resources/WAE_APPDEK_KEK_PublicKey.pem deleted file mode 100644 index f0dfcea..0000000 --- a/resources/WAE_APPDEK_KEK_PublicKey.pem +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0kWtjpRO7Zh2KX2naVE/ -BDJdrfwK9xexfNA0MkY2VJ4J2AKMYTj1D1jntceryupCEHOvP3rum+WsFvPXduz9 -+VKnSsSqj4jcTUubtpDUGA5G79IqLEPFuSBaqI8Uwkzd08pE+s30oaJDnNazMhSq -8JkqBPoCCwtUs73ruE9VbtsBO/kTlASIAfe8nXqcJLcDQgWYhizjJw0Pi6d74oCw -S2OTvQDNvsXfFnA0ZJEEYw/rZLirj7OHoOjz+Sh5N+1uA3Up6SPPEbHuP6L12Yxq -Hdy7gnJXodLhvE/cR4SN9VW7+qmCMBjmLkBejGrEX3STS9sLI7MZHu9Y26dwuYb4 -+wIDAQAB ------END PUBLIC KEY----- diff --git a/srcs/crypto_service.c b/srcs/crypto_service.c index c28c0cd..dcc172e 100644 --- a/srcs/crypto_service.c +++ b/srcs/crypto_service.c @@ -35,6 +35,11 @@ #include "wae_log.h" #define AES_256_KEY_SIZE 32 +#define KEK_IV_LEN 16 +#define PBKDF2_ITERATION 1024 + + +crypto_element_s *dek_kek = NULL; static bool __initialized = false; @@ -47,186 +52,74 @@ void _initialize() } } -int encrypt_app_dek(const raw_buffer_s *pubkey, const raw_buffer_s *dek, - raw_buffer_s **pencrypted_dek) +int _generate_dek_kek() { - if (!is_buffer_valid(pubkey) || !is_buffer_valid(dek) || pencrypted_dek == NULL) - return WAE_ERROR_INVALID_PARAMETER; - int ret = WAE_ERROR_NONE; - EVP_PKEY *key = NULL; - EVP_PKEY_CTX *ctx = NULL; - raw_buffer_s *encrypted_dek = NULL; - size_t len = 0; - - _initialize(); - - BIO *bio = BIO_new(BIO_s_mem()); - BIO_write(bio, pubkey->buf, pubkey->size); - key = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL); - - if (key == NULL) { - BIO_reset(bio); - BIO_write(bio, pubkey->buf, pubkey->size); - key = d2i_PUBKEY_bio(bio, NULL); - } - - if (key == NULL) { - ret = WAE_ERROR_FILE; - WAE_SLOGE("Failt to convert to public key."); - goto error; - } - - ctx = EVP_PKEY_CTX_new(key, NULL); - - if (ctx == NULL) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_CTX_new failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } + raw_buffer_s *kek = NULL; + raw_buffer_s *iv = NULL; - if (EVP_PKEY_encrypt_init(ctx) <= 0) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_encrypt_init failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } - - if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_CTX_set_rsa_padding failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } - - /* Determine buffer length */ - if (EVP_PKEY_encrypt(ctx, NULL, &len, dek->buf, dek->size) <= 0) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_encrypt failed"); - ret = WAE_ERROR_CRYPTO; + kek = buffer_create(AES_256_KEY_SIZE); + if (kek == NULL) { + ret = WAE_ERROR_MEMORY; goto error; } - - if ((encrypted_dek = buffer_create(len)) == NULL) { - WAE_SLOGE("Encrypt APP DEK Failed. OPENSSL_malloc failed"); + iv = buffer_create(KEK_IV_LEN); + if (iv == NULL) { ret = WAE_ERROR_MEMORY; goto error; } - if (EVP_PKEY_encrypt(ctx, encrypted_dek->buf, &encrypted_dek->size, dek->buf, - dek->size) <= 0) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_encrypt failed"); + ret = PKCS5_PBKDF2_HMAC_SHA1( + DEK_KEK_SEED, -1, + NULL, 0, + PBKDF2_ITERATION, + AES_256_KEY_SIZE, + kek->buf); + if (ret == 0) { ret = WAE_ERROR_CRYPTO; goto error; + } else { + ret = WAE_ERROR_NONE; } - *pencrypted_dek = encrypted_dek; - + dek_kek = crypto_element_create(kek, iv); error: - if (bio != NULL) - BIO_free(bio); - - if (key != NULL) - EVP_PKEY_free(key); - - if (ctx != NULL) - EVP_PKEY_CTX_free(ctx); - - if (ret != WAE_ERROR_NONE) - buffer_destroy(encrypted_dek); + if (ret != WAE_ERROR_NONE) { + if (kek != NULL) + buffer_destroy(kek); + if (iv != NULL) + buffer_destroy(iv); + } return ret; } -int decrypt_app_dek(const raw_buffer_s *prikey, const char *prikey_pass, - const raw_buffer_s *encrypted_dek, raw_buffer_s **pdek) +int encrypt_preloaded_app_dek(const raw_buffer_s *dek, raw_buffer_s **pencrypted_dek) { - if (!is_buffer_valid(prikey) || !is_buffer_valid(encrypted_dek) || pdek == NULL) - return WAE_ERROR_INVALID_PARAMETER; - int ret = WAE_ERROR_NONE; - EVP_PKEY_CTX *ctx = NULL; - raw_buffer_s *dek = NULL; - size_t len = 0; - - _initialize(); - BIO *bio = BIO_new(BIO_s_mem()); - if (bio == NULL) - return WAE_ERROR_MEMORY; - - BIO_write(bio, prikey->buf, prikey->size); - EVP_PKEY *key = PEM_read_bio_PrivateKey(bio, NULL, NULL, (void *)prikey_pass); - - if (key == NULL) { - BIO_reset(bio); - BIO_write(bio, prikey->buf, prikey->size); - key = d2i_PrivateKey_bio(bio, NULL); - } - - if (key == NULL) { - ret = WAE_ERROR_FILE; - WAE_SLOGE("Failed to convert to public key."); - goto error; - } - - ctx = EVP_PKEY_CTX_new(key, NULL); - - if (ctx == NULL) { - WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_CTX_new failed"); - ret = WAE_ERROR_CRYPTO; - goto error; + if (dek_kek == NULL) { + ret = _generate_dek_kek(); + if (ret != WAE_ERROR_NONE) + return ret; } - if (EVP_PKEY_decrypt_init(ctx) <= 0) { - WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_decrypt_init failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } - - if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) { - WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_CTX_set_rsa_padding failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } - - /* Determine buffer length */ - if (EVP_PKEY_decrypt(ctx, NULL, &len, encrypted_dek->buf, encrypted_dek->size) <= 0) { - WAE_SLOGE("Decrypt APP DEK Failed. EVP_PKEY_decrypt failed"); - ret = WAE_ERROR_CRYPTO; - goto error; - } + return encrypt_aes_cbc(dek_kek, dek, pencrypted_dek); +} - dek = buffer_create(len); - if (dek == NULL) { - WAE_SLOGE("Decrypt APP DEK Failed. OPENSSL_malloc failed"); - ret = WAE_ERROR_MEMORY; - goto error; - } +int decrypt_preloaded_app_dek(const raw_buffer_s *encrypted_dek, raw_buffer_s **pdek) +{ + int ret = WAE_ERROR_NONE; - if (EVP_PKEY_decrypt(ctx, dek->buf, &dek->size, encrypted_dek->buf, - encrypted_dek->size) <= 0) { - WAE_SLOGE("Encrypt APP DEK Failed. EVP_PKEY_decrypt failed"); - ret = WAE_ERROR_CRYPTO; - goto error; + if (dek_kek == NULL) { + ret = _generate_dek_kek(); + if (ret != WAE_ERROR_NONE) + return ret; } - *pdek = dek; - -error: - if (bio != NULL) - BIO_free(bio); - - if (key != NULL) - EVP_PKEY_free(key); - - if (ctx != NULL) - EVP_PKEY_CTX_free(ctx); - - if (ret != WAE_ERROR_NONE) - buffer_destroy(dek); - - return ret; + return decrypt_aes_cbc(dek_kek, encrypted_dek, pdek); } - int encrypt_aes_cbc(const crypto_element_s *ce, const raw_buffer_s *data, raw_buffer_s **pencrypted_data) { diff --git a/srcs/crypto_service.h b/srcs/crypto_service.h index c6340ae..a2d7412 100644 --- a/srcs/crypto_service.h +++ b/srcs/crypto_service.h @@ -28,10 +28,9 @@ extern "C" { #include "types.h" -int encrypt_app_dek(const raw_buffer_s *pubkey, const raw_buffer_s *dek, - raw_buffer_s **pencrypted_dek); -int decrypt_app_dek(const raw_buffer_s *prikey, const char *prikey_pass, - const raw_buffer_s *encrypted_dek, raw_buffer_s **pdek); + +int encrypt_preloaded_app_dek(const raw_buffer_s *dek, raw_buffer_s **pencrypted_dek); +int decrypt_preloaded_app_dek(const raw_buffer_s *encrypted_dek, raw_buffer_s **pdek); int encrypt_aes_cbc(const crypto_element_s *ce, const raw_buffer_s *data, diff --git a/srcs/key_handler.c b/srcs/key_handler.c index a60142e..c198d19 100644 --- a/srcs/key_handler.c +++ b/srcs/key_handler.c @@ -104,16 +104,6 @@ int _get_random(raw_buffer_s *rb) return WAE_ERROR_NONE; } -const char *_get_dek_kek_pub_key_path() -{ - return tzplatform_mkpath4(TZ_SYS_SHARE, "wae", "app_dek", "WAE_APPDEK_KEK_PublicKey.pem"); -} - -const char *_get_dek_kek_pri_key_path() -{ - return tzplatform_mkpath4(TZ_SYS_SHARE, "wae", "app_dek", "WAE_APPDEK_KEK_PrivateKey.pem"); -} - const char *_get_dek_store_path() { return tzplatform_mkpath3(TZ_SYS_SHARE, "wae", "app_dek"); @@ -197,8 +187,8 @@ error: return ret; } -typedef int(*entry_callback)(const char *path, const struct dirent *entry, void *user_data); -static int traverse_directory(const char *path, entry_callback ecb, void *user_data) +typedef int(*entry_callback)(const char *path, const struct dirent *entry); +static int traverse_directory(const char *path, entry_callback ecb) { DIR *dir = opendir(path); if (dir == NULL) { @@ -228,7 +218,7 @@ static int traverse_directory(const char *path, entry_callback ecb, void *user_d continue; } - int _ret = ecb(path, result, user_data); + int _ret = ecb(path, result); if (_ret != WAE_ERROR_NONE) ret = _ret; } @@ -243,10 +233,8 @@ static void _remove_file(const char *path) } static int _entry_callback_remove_all( - const char *path, const struct dirent *entry, void *user_data) + const char *path, const struct dirent *entry) { - (void) user_data; // TODO: use UNUSED macro - char file_path_buff[MAX_PATH_LEN] = {0, }; if ((unsigned)snprintf(file_path_buff, sizeof(file_path_buff), "%s/%s", path, entry->d_name) >= sizeof(file_path_buff)) @@ -254,7 +242,7 @@ static int _entry_callback_remove_all( int ret = WAE_ERROR_NONE; if (entry->d_type == DT_DIR) { - int _ret = traverse_directory(file_path_buff, _entry_callback_remove_all, NULL); + int _ret = traverse_directory(file_path_buff, _entry_callback_remove_all); if (_ret != WAE_ERROR_NONE) ret = _ret; rmdir(file_path_buff); @@ -266,7 +254,7 @@ static int _entry_callback_remove_all( void _remove_directory(const char *path) { - traverse_directory(path, _entry_callback_remove_all, NULL); + traverse_directory(path, _entry_callback_remove_all); WAE_SLOGD("remove directory(%s)", path); rmdir(path); @@ -323,8 +311,7 @@ int _write_encrypted_app_dek_to_file(const char *pkg_id, const raw_buffer_s *enc return _write_to_file(path, encrypted); } -int _load_preloaded_app_dek( - const raw_buffer_s *prikey, const char *filepath, const char *pkg_id) +int _load_preloaded_app_dek(const char *filepath, const char *pkg_id) { raw_buffer_s *encrypted_dek = NULL; raw_buffer_s *dek = NULL; @@ -337,7 +324,7 @@ int _load_preloaded_app_dek( return ret; } - ret = decrypt_app_dek(prikey, APP_DEK_KEK_PRIKEY_PASSWORD, encrypted_dek, &dek); + ret = decrypt_preloaded_app_dek(encrypted_dek, &dek); if (ret != WAE_ERROR_NONE) { WAE_SLOGW("Failed to decrypt dek. It will be ignored. file=%s", filepath); goto finish; @@ -536,7 +523,6 @@ int get_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce) int create_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce) { raw_buffer_s *encrypted_app_dek = NULL; - raw_buffer_s *pubkey = NULL; raw_buffer_s *dek = buffer_create(DEK_LEN); raw_buffer_s *iv = buffer_create(sizeof(AES_CBC_IV)); crypto_element_s *ce = crypto_element_create(dek, iv); @@ -556,14 +542,7 @@ int create_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce) // copy default iv for preloaded app memcpy(iv->buf, AES_CBC_IV, sizeof(AES_CBC_IV)); - ret = _read_from_file(_get_dek_kek_pub_key_path(), &pubkey); - - if (ret != WAE_ERROR_NONE) { - WAE_SLOGE("WAE: Fail to read APP_DEK_KEK Public Key"); - goto error; - } - - ret = encrypt_app_dek(pubkey, dek, &encrypted_app_dek); + ret = encrypt_preloaded_app_dek(dek, &encrypted_app_dek); if (ret != WAE_ERROR_NONE) { WAE_SLOGE("WAE: Fail to encrypt APP_DEK with APP_DEK_KEK"); @@ -592,7 +571,6 @@ int create_preloaded_app_ce(const char *pkg_id, const crypto_element_s **pce) error: buffer_destroy(encrypted_app_dek); - buffer_destroy(pubkey); if (ret != WAE_ERROR_NONE) { if (ce) { @@ -606,29 +584,13 @@ error: return ret; } -int _get_app_dek_kek(raw_buffer_s **pdek_kek) -{ -#if 0 - return get_dek_kek_from_key_manager(pdek_kek); -#else - return _read_from_file(_get_dek_kek_pri_key_path(), pdek_kek); -#endif -} - static int _entry_callback_load_preloaded_adeks( - const char *path, const struct dirent *entry, void *prikey) + const char *path, const struct dirent *entry) { - const char *pub_key_path = _get_dek_kek_pub_key_path(); - const char *pri_key_path = _get_dek_kek_pri_key_path(); - char file_path_buff[MAX_PATH_LEN] = {0, }; if ((unsigned)snprintf(file_path_buff, sizeof(file_path_buff), "%s/%s", path, entry->d_name) >= sizeof(file_path_buff)) return WAE_ERROR_INVALID_PARAMETER; /* buffer size too small */ - if (strcmp(file_path_buff, pub_key_path) == 0 || - strcmp(file_path_buff, pri_key_path) == 0) - return WAE_ERROR_NONE; /* skip KEK files */ - if (entry->d_type != DT_REG || strstr(entry->d_name, APP_DEK_FILE_PFX) == NULL) { if (entry->d_type == DT_DIR) WAE_SLOGW( @@ -648,7 +610,7 @@ static int _entry_callback_load_preloaded_adeks( return ret; } - ret = _load_preloaded_app_dek((raw_buffer_s *)prikey, file_path_buff, pkg_id); + ret = _load_preloaded_app_dek(file_path_buff, pkg_id); if (ret == WAE_ERROR_NONE || ret == WAE_ERROR_KEY_EXISTS) { WAE_SLOGI("Successfully load app dek(%s)", file_path_buff); return WAE_ERROR_NONE; @@ -666,7 +628,6 @@ int load_preloaded_app_deks() const char *dek_store_path = _get_dek_store_path(); - raw_buffer_s *prikey = NULL; DIR *dir = NULL; // check if all deks were already loaded into key-manager. @@ -686,34 +647,18 @@ int load_preloaded_app_deks() } } - ret = _get_app_dek_kek(&prikey); - if (ret != WAE_ERROR_NONE) { - WAE_SLOGE("Fail to get APP_DEK_KEK Private Key. ret(%d)", ret); - goto out; - } - // close dek store dir fd not to affect the traverse_directory call closedir(dir); dir = NULL; - ret = traverse_directory(dek_store_path, _entry_callback_load_preloaded_adeks, prikey); + ret = traverse_directory(dek_store_path, _entry_callback_load_preloaded_adeks); if (ret != WAE_ERROR_NONE) WAE_SLOGE("Fail when traverse dek store directory. ret(%d)", ret); out: - if (prikey != NULL) - buffer_destroy(prikey); - if (dir != NULL) closedir(dir); - // remove dek store after loade done even though it's partially failed - // because malware can still put the file in dek store if it still system service's - // ownership and they can break this logic by inserting any file to dek store path. - // If KEK private key is inserted to key-manager with initial-value feature, malware - // cannot insert/encrypt/decrypt app dek so it's fine on preloaded app security but - // if we handle errors related loading file, malware can at least occur webappenc - // initializer service failure. _remove_directory(dek_store_path); return ret; diff --git a/srcs/key_handler.h b/srcs/key_handler.h index f5ce3e4..871fe60 100644 --- a/srcs/key_handler.h +++ b/srcs/key_handler.h @@ -42,10 +42,9 @@ int _get_preloaded_app_dek_file_path(const char *pkg_id, size_t size, char *path int _read_encrypted_app_dek_from_file(const char *pkg_id, raw_buffer_s **pencrypted); int _write_encrypted_app_dek_to_file(const char *pkg_id, const raw_buffer_s *encrypted); void _remove_directory(const char *path); -const char *_get_dek_kek_pub_key_path(); -const char *_get_dek_kek_pri_key_path(); const char *_get_dek_store_path(); + /* functions for interface */ int get_app_ce(uid_t uid, const char *pkg_id, wae_app_type_e app_type, bool create_for_migrated_app, const crypto_element_s **pce); diff --git a/srcs/key_manager.c b/srcs/key_manager.c index 1f7a96d..ac49bb9 100644 --- a/srcs/key_manager.c +++ b/srcs/key_manager.c @@ -283,52 +283,3 @@ int remove_from_key_manager(const char *name, wae_app_type_e type) return _to_wae_error(ckmc_remove_alias(alias)); } - -static int _get_dek_kek_alias(char *alias, size_t buff_len) -{ - return (unsigned)snprintf(alias, buff_len, "%s%s%s", - ckmc_owner_id_system, - ckmc_owner_id_separator, - APP_DEK_KEK_ALIAS) >= buff_len - ? WAE_ERROR_INVALID_PARAMETER - : WAE_ERROR_NONE; -} - -int get_dek_kek_from_key_manager(raw_buffer_s **pdek_kek) -{ - if (pdek_kek == NULL) - return WAE_ERROR_INVALID_PARAMETER; - - ckmc_raw_buffer_s *buf = NULL; - - char alias[MAX_ALIAS_LEN] = {0, }; - int ret = _get_dek_kek_alias(alias, sizeof(alias)); - if (ret != WAE_ERROR_NONE) - return ret; - - ret = _to_wae_error(ckmc_get_data(alias, NULL, &buf)); - if (ret != WAE_ERROR_NONE) { - WAE_SLOGE("Failed to get dek kek from key-manager. alias(%s) ret(%d)", - alias, ret); - return ret; - } - - raw_buffer_s *dek_kek = buffer_create(buf->size); - if (dek_kek == NULL) { - ret = WAE_ERROR_MEMORY; - goto error; - } - memcpy(dek_kek->buf, buf->data, dek_kek->size); - - *pdek_kek = dek_kek; - - WAE_SLOGI("Success to get dek kek from key-manager."); - -error: - ckmc_buffer_free(buf); - - if (ret != WAE_ERROR_NONE) - buffer_destroy(dek_kek); - - return ret; -} diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 07d2082..f2c2353 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -98,4 +98,3 @@ INSTALL(TARGETS ${TARGET_WAE_TEST} WORLD_EXECUTE ) -ADD_SUBDIRECTORY(resources) diff --git a/tests/internals.cpp b/tests/internals.cpp index 7a13df7..626c998 100644 --- a/tests/internals.cpp +++ b/tests/internals.cpp @@ -88,48 +88,8 @@ BOOST_AUTO_TEST_SUITE(SYSTEM) BOOST_AUTO_TEST_SUITE(INTERNALS) -BOOST_AUTO_TEST_CASE(encrypt_decrypt_app_dek) +BOOST_AUTO_TEST_CASE(encrypt_decrypt_preloaded_app_dek) { - const char *private_key = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIIEpgIBAAKCAQEA0kWtjpRO7Zh2KX2naVE/BDJdrfwK9xexfNA0MkY2VJ4J2AKM\n" - "YTj1D1jntceryupCEHOvP3rum+WsFvPXduz9+VKnSsSqj4jcTUubtpDUGA5G79Iq\n" - "LEPFuSBaqI8Uwkzd08pE+s30oaJDnNazMhSq8JkqBPoCCwtUs73ruE9VbtsBO/kT\n" - "lASIAfe8nXqcJLcDQgWYhizjJw0Pi6d74oCwS2OTvQDNvsXfFnA0ZJEEYw/rZLir\n" - "j7OHoOjz+Sh5N+1uA3Up6SPPEbHuP6L12YxqHdy7gnJXodLhvE/cR4SN9VW7+qmC\n" - "MBjmLkBejGrEX3STS9sLI7MZHu9Y26dwuYb4+wIDAQABAoIBAQCwxqV/vc2RUGDe\n" - "xuXM0+IvrAw37jJlw4SS0xNexMp+XxMViCbuwYy851h96azS/himbiuCKd6aL/96\n" - "mGunbtyiFEvSvv5Jh5z2Wr9BQAcfZjla+4w7BIsg9UNifE/OfgLsQBu34xhsHtfK\n" - "7nFehCOl/I5n+qtnD5KZPe0DWacQdwY4vEAj6YyXdb2bBg+MiwE9KVxGEIUDbklh\n" - "Is70JXczjLZCS+lIpOKh0/lbZmBZePoUbVTtS+GvtPTpQC/aTHRkwGoEtuPEWpbL\n" - "0Q1d6zO+vDJVLJlb5FF2haghs8IlqAxkkPjeUTNye+WktRrDQxmPu/blbxQrygfq\n" - "Au5tBnsxAoGBAOiVtcpg32puo3Yq2Y78oboe9PuHaQP0d3DhwP3/7J0BeNslpjW7\n" - "E1LWsVsCanxTE8XPUdFfAWgMk7lQqESN0wawGmSmWk+eQPZdjHanBaC8vh7aKjo6\n" - "q9FdT1DKjrRi23QyDco3f3E7hvM93IAAhw1ikNu8DT19JAxtdeMh5WAZAoGBAOdw\n" - "6neEvIFXh3RWEv2/GKVhVR8mxDqxmuFdXpOF+YWsK0Tg4uC8jm9kUGnwXgT2Mjke\n" - "oAwYAFcRbHQQGsxy/vkV16kv4aurTE2hMpjeXCAakwV0Pi2w1f9WnDokjgORkOmc\n" - "+QK9I8egdFPMVDfQjhLslhSUY0Eb4qcJ6q9WxfQzAoGBANSsAFybk+7oWAO3TtQW\n" - "YXOk1vIgcYAyS/0mEKixGZS/QdlxZbf/5b17nxTO8rvX416fIftG2ixgQ7vR6us0\n" - "m9+jq56ZFj9zP4eHJudf9h9yNo5TgwVXnMCGh/4iGbcMJgrrsfxUHu5VNiK5UCSj\n" - "VtqAZGDoZVryUMIkXQVhezIRAoGBAN7QUIqcGbcUA24257Wu4hVlrUN+WPCAyDEr\n" - "aL/x/ZV5eXaoYwQlw6LuGpTDOmDgfN2M5FyARuOL/LOIRaSLGXnIU4WoeUSCd8VM\n" - "6Z9Og7bMnrpjfPEUDBH02hcH1kkNPUwLOZgva2Dm0tdSIcpSWFVTu/E4Io4uQHi8\n" - "DVqc2ZsNAoGBAJT76ezXNSSv8hnrKqTpwgTicpqhRZ3eFQjyl4HRL26AJMKv++x8\n" - "4/IsVIwxaHzpbN3nnCjmAHV4gX9YpxVnvYcZflC9WZeDkwNMLmPYb3Zg27EzSMfQ\n" - "8yrfWJZo3qobipcHf1yohAt4fHk9kUKtPHEwp0xKe//rfhswLb3VCzvQ\n" - "-----END RSA PRIVATE KEY-----"; - - const char *public_key = - "-----BEGIN PUBLIC KEY-----\n" - "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0kWtjpRO7Zh2KX2naVE/\n" - "BDJdrfwK9xexfNA0MkY2VJ4J2AKMYTj1D1jntceryupCEHOvP3rum+WsFvPXduz9\n" - "+VKnSsSqj4jcTUubtpDUGA5G79IqLEPFuSBaqI8Uwkzd08pE+s30oaJDnNazMhSq\n" - "8JkqBPoCCwtUs73ruE9VbtsBO/kTlASIAfe8nXqcJLcDQgWYhizjJw0Pi6d74oCw\n" - "S2OTvQDNvsXfFnA0ZJEEYw/rZLirj7OHoOjz+Sh5N+1uA3Up6SPPEbHuP6L12Yxq\n" - "Hdy7gnJXodLhvE/cR4SN9VW7+qmCMBjmLkBejGrEX3STS9sLI7MZHu9Y26dwuYb4\n" - "+wIDAQAB\n" - "-----END PUBLIC KEY-----"; - raw_buffer_s *dek = buffer_create(32); auto _raii1 = _safe(dek); @@ -137,28 +97,19 @@ BOOST_AUTO_TEST_CASE(encrypt_decrypt_app_dek) BOOST_REQUIRE_MESSAGE(dek != nullptr && dek->size == 32, "Failed to create buffer"); BOOST_REQUIRE_MESSAGE(_get_random(dek) == WAE_ERROR_NONE, "Failed to get random"); - raw_buffer_s pubkey; - - pubkey.buf = (unsigned char *)public_key; - pubkey.size = strlen(public_key); - raw_buffer_s *encrypted = nullptr; - int ret = encrypt_app_dek(&pubkey, dek, &encrypted); + int ret = encrypt_preloaded_app_dek(dek, &encrypted); auto _raii2 = _safe(encrypted); - BOOST_REQUIRE_MESSAGE(ret == WAE_ERROR_NONE, "Failed to encrypt_app_dek. ec: " << ret); - - raw_buffer_s prikey; - prikey.buf = (unsigned char *)private_key; - prikey.size = strlen(private_key); + BOOST_REQUIRE_MESSAGE(ret == WAE_ERROR_NONE, "Failed to encrypt_preloaded_app_dek. ec: " << ret); raw_buffer_s *decrypted = nullptr; - ret = decrypt_app_dek(&prikey, nullptr, encrypted, &decrypted); + ret = decrypt_preloaded_app_dek(encrypted, &decrypted); auto _raii3 = _safe(decrypted); - BOOST_REQUIRE_MESSAGE(ret == WAE_ERROR_NONE, "Failed to decrypt_app_dek. ec: " << ret); + BOOST_REQUIRE_MESSAGE(ret == WAE_ERROR_NONE, "Failed to decrypt_preloaded_app_dek. ec: " << ret); BOOST_REQUIRE_MESSAGE(Wae::Test::bytes_to_hex(dek) == Wae::Test::bytes_to_hex(decrypted), "encrypted/decrypted dek isn't valid. " @@ -394,11 +345,6 @@ BOOST_AUTO_TEST_CASE(load_preloaded_app_dek_tolerances) BOOST_REQUIRE(load_preloaded_app_deks() == WAE_ERROR_NONE); BOOST_REQUIRE(does_dek_store_exist() == false); - // without kek(private key) - Wae::Test::restore_dek_store(); - BOOST_REQUIRE(load_preloaded_app_deks() == WAE_ERROR_FILE); - BOOST_REQUIRE(does_dek_store_exist() == false); - // with invalid file in dek store Wae::Test::restore_dummy_preloaded_app_dek_keks(); std::ofstream dst; diff --git a/tests/resources/CMakeLists.txt b/tests/resources/CMakeLists.txt deleted file mode 100644 index fa0856f..0000000 --- a/tests/resources/CMakeLists.txt +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -INSTALL( - FILES pubkey.pem prikey.pem - DESTINATION ${RW_SHARE_DIR}/wae/test/app_dek - PERMISSIONS OWNER_READ -) diff --git a/tests/resources/prikey.pem b/tests/resources/prikey.pem deleted file mode 100644 index e27950c..0000000 --- a/tests/resources/prikey.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,F4C783D75B0679F29398E9A3CAB4733D - -kxgW1wGX3TZZ/wtv3g4AOLlZCHoQ6uXVQ0h2ofWjnJs8tas/alR6o8UBRIqCw44t -znUvQ8HlThvzhGgxje/yDDSxCy9mqhgsi2XeTtAeUbMhFL6UArb3cs6M4a37lYoT -llZdFyYkRWJ3vRS33TDrhXDV6GjZWQ05SJ0OYdPJsmA1ENwdH+5NE/xLnqLdTtWr -O3Mn2vi6P9CVqZroCvYBzUaypGcmFhjTIbWmB6inXjoXyddzerh7PTDBDWWacBab -C7gcZC5SrK5YOt6f54ANsVQO8jnkLDx95gUSHYthX1hrQ3Da5Gb6nfYP9RNrHCum -O8RKxSOvv8zwbMlzqtld8xCOb7Nh04f8bofrzZVLZ0T92FcyFQmt1F4U6DNQqHsn -AAqxRxUWsC5k2dX9uZ6RCpEzNYWyPvNe24I/Kt01Geoh1NtCns8CVZcrxyMMtZRK -ZJnYhvNDXDQCDtMJjRBiEXXE++AdA2O6uFoGX3alKwtxAIjGI++pSRlz1GTps26x -5mmLil5wb3KGBfMN4L0R0heDOeiPQrNv7CwX8OlHtA1OKFBtViWdd/uZ2hAko1Tz -YkoYpHPQOV5LZ7dem/XNnwwel9g6AkHhLNJv5ih4Y0CQfPBSs+iiLbMHh/NaGDD9 -+kbcf5Lk4FQGVbJDW9nDAXT6jjMyliTI+hIh5fM2k22qbq6OqBkW6EbOQDMP/R2P -LhFqTgHceNt0mqpcDJdJQ0YKbxVpdkv5f1C4rW+pgUEeHDCQ7vPe4p44xQJ/Z/7Y -AtPwPKzPPJze2cfoUkZd9jXN9g2v2555xnQZU78IEm1nPVBA+hLIaqN1hu1Lkzxy -CwFNo7bMVh3FSBmZVtJlcLsyLxZ9UdoaSr+anfA0lWJPiBzE0whQljZp56l1rL1V -1K8m/dc9rLJ3uDQmYoSRmBZG5zZlVWCip+R9VAHMxRi1x29dFk1jbtQscr63dMI8 -0eOUf28Mw719WWUZVzD08b431DPqWiqrpexUKEXPW8EsrINPfIg180QYt1VUoshs -Tqi/LKM0OV6nlMGh9ieCK8WzVDW8F16krSLo6eJpIPYPZgkHE7fC7Jws1kpUrSnF -GgT6rBA97tJ0EalinuFXbip1X087Quz5USURq18f7/B6nFu0Kd4GhlICsR24j3eB -75SsTNmfUcko8s5QT4rwONEwtRffkGbbNEisCPcleJV68zHvN58mfD7Dl8W3zIO4 -Qk6B1Xy0C4EEniKFfjxIaMEaxrqntBIc+nZE6/+UoGp/Hj9r5ZdzQX2j4837IIdR -CxT4tjXiWBA6u3WaLAZUSM0W0SEORUF9NwzlId1b8A3WxA8XewhAKPaJEr677vzZ -083+neUOuXqqs597romLH1omuffxmHxBzmP+koUtemP78XxCBVWUAB1T+fBRJMz6 -9ZEgDWrMntJ1IaFoGdOWZELgwcXJ0KwWFuk+sieZ5WCCzNmFli9WPN/xSqwmdYw6 -RK9er5Vc8D9mAlmGlz2mpAmzNJHH30zYKT/d0XzBS8z6WBRthaTS3NLsiSeWdELH -b5+WEMOiKvZ19AXU2unHw/XpeVnAISOHhumAqFCwXkjVoMt8LMDawt6ra8N8G+gD ------END RSA PRIVATE KEY----- diff --git a/tests/resources/pubkey.pem b/tests/resources/pubkey.pem deleted file mode 100644 index f0dfcea..0000000 --- a/tests/resources/pubkey.pem +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0kWtjpRO7Zh2KX2naVE/ -BDJdrfwK9xexfNA0MkY2VJ4J2AKMYTj1D1jntceryupCEHOvP3rum+WsFvPXduz9 -+VKnSsSqj4jcTUubtpDUGA5G79IqLEPFuSBaqI8Uwkzd08pE+s30oaJDnNazMhSq -8JkqBPoCCwtUs73ruE9VbtsBO/kTlASIAfe8nXqcJLcDQgWYhizjJw0Pi6d74oCw -S2OTvQDNvsXfFnA0ZJEEYw/rZLirj7OHoOjz+Sh5N+1uA3Up6SPPEbHuP6L12Yxq -Hdy7gnJXodLhvE/cR4SN9VW7+qmCMBjmLkBejGrEX3STS9sLI7MZHu9Y26dwuYb4 -+wIDAQAB ------END PUBLIC KEY----- diff --git a/tests/test-helper.cpp b/tests/test-helper.cpp index ac17a0d..f6001e7 100644 --- a/tests/test-helper.cpp +++ b/tests/test-helper.cpp @@ -36,31 +36,9 @@ namespace Wae { namespace Test { -namespace { const uid_t UID_OWNER = 5001; -void copy_file(const char *src_path, const char *dst_path) -{ - std::ifstream src; - std::ofstream dst; - - src.exceptions(std::ifstream::failbit | std::ifstream::badbit); - dst.exceptions(std::ofstream::failbit | std::ofstream::badbit); - - src.open(src_path, std::ifstream::binary); - dst.open(dst_path, std::ofstream::binary); - - dst << src.rdbuf(); - - // std::ofstream destructor will call close automatically so no need to handle - // close in the exception cases - src.close(); - dst.close(); -} - -} // namespace anonymous - void add_get_remove_ce(wae_app_type_e app_type) { const char *pkg_id = "TEST_PKG_ID"; @@ -251,16 +229,9 @@ void remove_dek_store() void restore_dummy_preloaded_app_dek_keks() { - // Generate pri/pub key pair. Private key is protected - // with assigned password: APP_DEK_KEK_PRIKEY_PASSWORD) which is same to password - // of real private key because it's built in source of srcs/key_handler.c - // It should be removed after private key goes into key-manager initial-value. restore_dek_store(); - copy_file("/opt/share/wae/test/app_dek/prikey.pem", _get_dek_kek_pri_key_path()); - copy_file("/opt/share/wae/test/app_dek/pubkey.pem", _get_dek_kek_pub_key_path()); - - BOOST_MESSAGE("copying dummy pri/pub key pair to dek store done"); + BOOST_MESSAGE("Restored dek store done"); } } // namespace Test -- cgit v1.2.3