src/ckm/initial-values.cpp

   1 /*
   2  *  Copyright (c) 2000 - 2015 Samsung Electronics Co.
   3  *
   4  *  Licensed under the Apache License, Version 2.0 (the "License");
   5  *  you may not use this file except in compliance with the License.
   6  *  You may obtain a copy of the License at
   7  *
   8  *      http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *  Unless required by applicable law or agreed to in writing, software
  11  *  distributed under the License is distributed on an "AS IS" BASIS,
  12  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *  See the License for the specific language governing permissions and
  14  *  limitations under the License
  15  *
  16  * @file       system-db.cpp
  17  * @author     Maciej Karpiuk (m.karpiuk2@samsung.com)
  18  * @version    1.0
  19  */
  20 #include <dpl/test/test_runner.h>
  21 #include <dpl/test/test_runner_child.h>
  22 #include <tests_common.h>
  23 #include <ckm-common.h>
  24 #include <ckm/ckm-control.h>
  25 #include <ckmc/ckmc-manager.h>
  26 #include <access_provider2.h>
  27 #include <fstream>
  28 #include <ios>
  29 #include <unistd.h>
  30
  31 namespace
  32 {
  33 const uid_t USER_APP            = 5070;
  34 const uid_t GROUP_APP           = 5070;
  35 const char* APP_PASS            = "user-pass";
  36 const char* TEST_WEB_APP_1      = "web_app1";
  37 const char* TEST_WEB_APP_2      = "web_app2";
  38
  39 const char *XML_DEVICE_KEY              = "device_key.xml";
  40
  41 const char *XML_1_okay                  = "XML_1_okay.xml";
  42 std::string XML_1_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key1");
  43 std::string XML_1_EXPECTED_KEY_1_PASSWD = "123";
  44 std::string XML_1_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key2");
  45 // uncomment when AES is supported (+ usage in the tests)
  46 std::string XML_1_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test-aes1");
  47 std::string XML_1_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test-cert1");
  48 std::string XML_1_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test-data1");
  49 const char *XML_1_EXPECTED_DATA_1_DATA  = "My secret data";
  50 // encrypted
  51 std::string XML_1_EXPECTED_KEY_3_RSA_PRV    = aliasWithLabel(ckmc_owner_id_system, "test-encryption-prv");
  52 std::string XML_1_EXPECTED_KEY_3_RSA_PUB    = aliasWithLabel(ckmc_owner_id_system, "test-encryption-pub");
  53 std::string XML_1_EXPECTED_ASCII_DATA       = aliasWithLabel(ckmc_owner_id_system, "test-ascii-data-encryption");
  54 std::string XML_1_EXPECTED_BIG_DATA         = aliasWithLabel(ckmc_owner_id_system, "test-binary-data-encryption");
  55
  56 const char *XML_2_okay                  = "XML_2_okay.xml";
  57 std::string XML_2_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key1");
  58 std::string XML_2_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key2");
  59 // uncomment when AES is supported
  60 std::string XML_2_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test2-aes1");
  61 std::string XML_2_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test2-cert1");
  62 std::string XML_2_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test2-data1");
  63 const char *XML_2_EXPECTED_DATA_1_DATA  = "My secret data";
  64
  65 const char *XML_3_wrong                 = "XML_3_wrong.xml";
  66 std::string XML_3_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key1");
  67 std::string XML_3_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key2");
  68 // uncomment when AES is supported
  69 std::string XML_3_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
  70 std::string XML_3_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
  71
  72 std::string format_src_path(const char *file)
  73 {
  74     return std::string(CKM_TEST_DIR) + std::string(file);
  75 }
  76
  77 std::string format_dest_key_path(const char *file)
  78 {
  79     return std::string(CKM_RW_DATA_DIR) + std::string(file);
  80 }
  81
  82 std::string format_dest_path(const char *file)
  83 {
  84     return std::string(CKM_RW_DATA_DIR) + std::string( "/initial_values/") + std::string(file);
  85 }
  86
  87 void copy_file(const std::string &from, const std::string &to)
  88 {
  89     std::ifstream infile(from, std::ios_base::binary);
  90     RUNNER_ASSERT_MSG(infile, "Input file " << from << " does not exist.");
  91     std::ofstream outfile(to, std::ios_base::binary);
  92     RUNNER_ASSERT_MSG(outfile, "Output file " << to << " does not exist. Reinstall key-manager.");
  93     outfile << infile.rdbuf();
  94 }
  95
  96 void restart_key_manager()
  97 {
  98     stop_service(MANAGER);
  99     start_service(MANAGER);
 100 }
 101
 102 void test_exists(const std::string& name, bool expected) {
 103     bool file_exists = (access( name.c_str(), F_OK ) != -1);
 104     RUNNER_ASSERT_MSG(file_exists == expected,
 105                       "File " << name << " status: " << file_exists <<
 106                       " while expected: " << expected);
 107 }
 108
 109 }
 110
 111
 112 RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
 113
 114 RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP, RemoveDataEnv<0>)
 115 {
 116     // [prepare]
 117     // remove database 0
 118     // copy to the initial-values folder
 119     // [test0]
 120     // check XML file exists
 121     // restart the key-manager
 122     // check XML file exists - should fail
 123     // [test1]
 124     // check items existence as system service
 125     // [test2]
 126     // check items existence as web_app1
 127     // [test3]
 128     // check items existence as web_app2
 129
 130
 131     // [prepare]
 132     copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
 133     copy_file(format_src_path(XML_DEVICE_KEY), format_dest_key_path(XML_DEVICE_KEY));
 134
 135     // [test0]
 136     test_exists(format_dest_path(XML_1_okay), true);
 137     restart_key_manager();
 138     test_exists(format_dest_path(XML_1_okay), false);
 139
 140     // [test1]
 141     check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 142     check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 143     check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 144     check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 145     check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 146
 147     // [test2]
 148     {
 149         ScopedDBUnlock unlock(USER_APP, APP_PASS);
 150         ScopedAccessProvider ap(TEST_WEB_APP_1);
 151         ap.allowAPI("key-manager::api-storage", "rw");
 152         ap.applyAndSwithToUser(USER_APP, GROUP_APP);
 153
 154         check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 155         check_key_not_visible(XML_1_EXPECTED_KEY_2_RSA.c_str());
 156         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 157         check_cert_not_visible(XML_1_EXPECTED_CERT_1.c_str());
 158         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 159     }
 160
 161     // [test3]
 162     {
 163         ScopedDBUnlock unlock(USER_APP, APP_PASS);
 164         ScopedAccessProvider ap(TEST_WEB_APP_2);
 165         ap.allowAPI("key-manager::api-storage", "rw");
 166         ap.applyAndSwithToUser(USER_APP, GROUP_APP);
 167
 168         check_key_not_visible(XML_1_EXPECTED_KEY_1_RSA.c_str());
 169         check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 170         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 171         check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 172         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 173     }
 174 }
 175
 176 RUNNER_TEST(T6020_PARSE_TWO_XML_FILES_AT_STARTUP, RemoveDataEnv<0>)
 177 {
 178     // [prepare]
 179     // remove database 0
 180     // copy two files to the initial-values folder
 181     // [test0]
 182     // check XML files exist
 183     // restart the key-manager
 184     // check XML files exist - should fail
 185     // [test1]
 186     // check items existence as system service
 187
 188     // [prepare]
 189     copy_file(format_src_path(XML_DEVICE_KEY), format_dest_key_path(XML_DEVICE_KEY));
 190     copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
 191     copy_file(format_src_path(XML_2_okay), format_dest_path(XML_2_okay));
 192
 193     // [test0]
 194     test_exists(format_dest_path(XML_1_okay), true);
 195     test_exists(format_dest_path(XML_1_okay), true);
 196     restart_key_manager();
 197     test_exists(format_dest_path(XML_2_okay), false);
 198     test_exists(format_dest_path(XML_2_okay), false);
 199
 200     // [test1]
 201     check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 202     check_key(XML_2_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 203     check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 204     check_key_allowed(XML_2_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 205     check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 206     check_key_allowed(XML_2_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 207     check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 208     check_cert_allowed(XML_2_EXPECTED_CERT_1.c_str());
 209     check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 210     check_read_allowed(XML_2_EXPECTED_DATA_1.c_str(), XML_2_EXPECTED_DATA_1_DATA);
 211 }
 212
 213 RUNNER_TEST(T6030_PARSE_FAIL_XML_AT_STARTUP, RemoveDataEnv<0>)
 214 {
 215     // [prepare]
 216     // remove database 0
 217     // copy failing XML file to the initial-values folder
 218     // [test0]
 219     // check XML files exist
 220     // restart the key-manager
 221     // check XML files exist - should fail
 222     // [test1]
 223     // check items existence as system service - nothing should be available
 224
 225     // [prepare]
 226     copy_file(format_src_path(XML_3_wrong), format_dest_path(XML_3_wrong));
 227
 228     // [test0]
 229     test_exists(format_dest_path(XML_3_wrong), true);
 230     restart_key_manager();
 231     test_exists(format_dest_path(XML_3_wrong), false);
 232
 233     // [test1]
 234     check_key_not_visible(XML_3_EXPECTED_KEY_1_RSA.c_str());
 235     check_key_not_visible(XML_3_EXPECTED_KEY_2_RSA.c_str());
 236     check_cert_not_visible(XML_3_EXPECTED_CERT_1.c_str());
 237     check_read_not_visible(XML_3_EXPECTED_DATA_1.c_str());
 238 }
 239
 240 RUNNER_TEST(T6040_CHECK_KEYS_VALID, RemoveDataEnv<0>)
 241 {
 242     // [prepare]
 243     // remove database 0
 244     // copy to the initial-values folder
 245     // restart the key-manager
 246     // [test]
 247     // check if key can create & verify signature
 248
 249     // [prepare]
 250     copy_file(format_src_path(XML_DEVICE_KEY), format_dest_key_path(XML_DEVICE_KEY));
 251     copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
 252     restart_key_manager();
 253
 254     // [test]
 255     ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
 256     ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
 257     ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
 258     ckmc_raw_buffer_s *signature = NULL;
 259     int temp;
 260     RUNNER_ASSERT_MSG(
 261             CKMC_ERROR_NONE == (temp = ckmc_create_signature(
 262                     XML_1_EXPECTED_KEY_2_RSA.c_str(),
 263                     NULL,
 264                     msg_buff,
 265                     hash_algo,
 266                     pad_algo,
 267                     &signature)),
 268             CKMCReadableError(temp));
 269
 270     // invalid password
 271     RUNNER_ASSERT_MSG(
 272             CKMC_ERROR_AUTHENTICATION_FAILED == (temp = ckmc_verify_signature(
 273                         XML_1_EXPECTED_KEY_1_RSA.c_str(),
 274                         NULL,
 275                         msg_buff,
 276                         *signature,
 277                         hash_algo,
 278                         pad_algo)),
 279                 CKMCReadableError(temp));
 280
 281     // correct password
 282     RUNNER_ASSERT_MSG(
 283             CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
 284                     XML_1_EXPECTED_KEY_1_RSA.c_str(),
 285                     XML_1_EXPECTED_KEY_1_PASSWD.c_str(),
 286                     msg_buff,
 287                     *signature,
 288                     hash_algo,
 289                     pad_algo)),
 290             CKMCReadableError(temp));
 291
 292     ckmc_buffer_free(signature);
 293 }
 294
 295 RUNNER_TEST(T6050_ENCRYPTED_KEY, RemoveDataEnv<0>)
 296 {
 297     // [prepare]
 298     // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
 299     // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
 300     // remove database 0
 301     // copy to the initial-values folder
 302     // restart the key-manager
 303     // [test0]
 304     // check if encrypted private key is present
 305     // check if public key is present
 306     // [test1]
 307     // extract the private, encrypted key
 308     // extract the public key
 309     // create signature using the public key
 310     // verify signature using the decrypted private key
 311
 312     // [prepare]
 313     copy_file(format_src_path(XML_DEVICE_KEY), format_dest_key_path(XML_DEVICE_KEY));
 314     copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
 315     restart_key_manager();
 316
 317     // [test0]
 318     check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(), CKMC_KEY_RSA_PRIVATE);
 319     check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(), CKMC_KEY_RSA_PUBLIC);
 320
 321
 322     ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
 323     ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
 324     ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
 325     ckmc_raw_buffer_s *signature = NULL;
 326     int temp;
 327     RUNNER_ASSERT_MSG(
 328             CKMC_ERROR_NONE == (temp = ckmc_create_signature(
 329                     XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(),
 330                     NULL,
 331                     msg_buff,
 332                     hash_algo,
 333                     pad_algo,
 334                     &signature)),
 335             CKMCReadableError(temp));
 336
 337     // invalid password
 338     RUNNER_ASSERT_MSG(
 339             CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
 340                         XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(),
 341                         NULL,
 342                         msg_buff,
 343                         *signature,
 344                         hash_algo,
 345                         pad_algo)),
 346                 CKMCReadableError(temp));
 347
 348     ckmc_buffer_free(signature);
 349 }
 350
 351 RUNNER_TEST(T6060_ENCRYPTED_ASCII_DATA, RemoveDataEnv<0>)
 352 {
 353     // [prepare]
 354     // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
 355     // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
 356     // remove database 0
 357     // copy to the initial-values folder
 358     // restart the key-manager
 359     // [test0]
 360     // extract data
 361     // check if data matches the expected size and content
 362
 363     // [prepare]
 364     copy_file(format_src_path(XML_DEVICE_KEY), format_dest_key_path(XML_DEVICE_KEY));
 365     copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
 366     restart_key_manager();
 367
 368     // [test0]
 369     ckmc_raw_buffer_s *testData1;
 370     int temp;
 371     RUNNER_ASSERT_MSG(
 372             CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_ASCII_DATA.c_str(), NULL, &testData1)),
 373             CKMCReadableError(temp));
 374     size_t expected_len = 15;
 375     RUNNER_ASSERT_MSG(expected_len /* src/ckm/keys/EIV/ascii_data */ == testData1->size, "invalid data size");
 376     RUNNER_ASSERT_MSG(memcmp(reinterpret_cast<char*>(testData1->data), "My secret data\n", expected_len) == 0, "invalid data contents");
 377     ckmc_buffer_free(testData1);
 378 }
 379
 380 RUNNER_TEST(T6070_ENCRYPTED_BIG_DATA, RemoveDataEnv<0>)
 381 {
 382     // [prepare]
 383     // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
 384     // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
 385     // remove database 0
 386     // copy to the initial-values folder
 387     // restart the key-manager
 388     // [test0]
 389     // extract data
 390     // check if data matches the expected size
 391
 392     // [prepare]
 393     copy_file(format_src_path(XML_DEVICE_KEY), format_dest_key_path(XML_DEVICE_KEY));
 394     copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
 395     restart_key_manager();
 396
 397     // [test0]
 398     ckmc_raw_buffer_s *testData1;
 399     int temp;
 400     RUNNER_ASSERT_MSG(
 401             CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_BIG_DATA.c_str(), NULL, &testData1)),
 402             CKMCReadableError(temp));
 403     RUNNER_ASSERT_MSG(5918 /* src/ckm/keys/EIV/code.png */ == testData1->size, "invalid data size");
 404     ckmc_buffer_free(testData1);
 405 }