2 * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
18 * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
22 #include <sys/types.h>
30 #include <vconf/vconf.h>
32 #include <dpl/test/test_runner.h>
33 #include <tests_common.h>
34 #include <ckm-common.h>
35 #include <ckm/ckm-manager.h>
36 #include <ckm/ckm-control.h>
37 #include <scoped_process_label.h>
42 #ifndef VCONFKEY_SECURITY_MDPP_STATE
43 #define VCONFKEY_SECURITY_MDPP_STATE "file/security_mdpp/security_mdpp_state"
48 const useconds_t SLEEP = 100*1000;
50 const size_t MAX_RETRIES = 50;
52 const char* const ENABLED = "Enabled";
53 const char* const ENFORCING = "Enforcing";
54 const char* const DISABLED = "Disabled";
55 const char* const READY = "Ready";
56 const char* const UNSET = "Unset"; // Meaningless value for unset.
58 const char* const USER_LABEL = "User";
59 const char* const CKM_LOCK = "/var/run/key-manager.pid";
61 // Wrapper for mdpp state that restores the original value upon destruction
69 void set(const char* const value);
75 MdppState::MdppState()
77 ScopedProcessLabel spl(USER_LABEL);
78 m_original = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE);
81 MdppState::~MdppState()
83 ScopedProcessLabel spl(USER_LABEL);
85 vconf_set_str(VCONFKEY_SECURITY_MDPP_STATE, UNSET);
87 vconf_set_str(VCONFKEY_SECURITY_MDPP_STATE, m_original);
91 void MdppState::set(const char* const value)
93 ScopedProcessLabel spl(USER_LABEL);
96 int ret = vconf_set_str(VCONFKEY_SECURITY_MDPP_STATE, value);
97 RUNNER_ASSERT_MSG(0 == ret,
98 "vconf_set() failed, ec: " << ret);
101 vconf_set_str(VCONFKEY_SECURITY_MDPP_STATE, UNSET);
106 Alias rsa_pri_alias = sharedDatabase("rsa-private-T2002");
107 Alias rsa_pub_alias = sharedDatabase("rsa-public-T2002");
108 Alias ecdsa_pri_alias = sharedDatabase("ecdsa-private-T2002");
109 Alias ecdsa_pub_alias = sharedDatabase("ecdsa-public-T2002");
110 Alias aes_alias = sharedDatabase("aes-T2002");
111 size_t aes_length = 128;
116 auto manager = Manager::create();
119 CKM_API_SUCCESS == (temp = manager->createKeyPairRSA(
123 Policy(Password(), true),
124 Policy(Password(), true))),
125 "Error=" << APICodeToString(temp));
128 CKM_API_SUCCESS == (temp = manager->createKeyPairECDSA(
129 ElipticCurve::prime192v1,
132 Policy(Password(), true),
133 Policy(Password(), true))),
134 "Error=" << APICodeToString(temp));
137 CKM_API_SUCCESS == (temp = manager->createKeyAES(
140 Policy(Password(), true))),
141 "Error=" << APICodeToString(temp));
144 void read_key(ManagerShPtr& manager, const Alias& alias, int expected) {
148 expected == (temp = manager->getKey(alias, Password(), key)),
149 "Expected: " << expected << "/" << APICodeToString(expected) << " got: " << temp << "/" <<
150 APICodeToString(temp));
153 void read_keys(int expected)
155 // if mdpp is disabled at compilation time we expect that read_key always succeeds
156 #ifndef DSECURITY_MDFPP_STATE_ENABLE
157 expected = CKM_API_SUCCESS;
159 auto manager = Manager::create();
161 read_key(manager, rsa_pri_alias, expected);
162 read_key(manager, ecdsa_pri_alias, expected);
163 read_key(manager, aes_alias, expected);
166 void update_cc_mode()
168 auto control = Control::create();
170 RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (ret = control->updateCCMode()),
171 "Error=" << APICodeToString(ret));
174 void restart_ckm(const char* const mdpp_setting)
176 stop_service(MANAGER);
178 mdpp.set(mdpp_setting);
179 start_service(MANAGER);
181 } // namespace anonymous
183 RUNNER_TEST_GROUP_INIT(CKM_CC_MODE);
185 RUNNER_TEST(TCC_0000_init)
190 // updatedCCMode should succeed regardless of mdpp setting
191 RUNNER_TEST(TCC_0010_updateCCMode)
210 mdpp.set("whatever");
214 // tests without listener (ckm only)
215 RUNNER_TEST(TCC_0020_noListener)
217 stop_service(LISTENER);
225 read_keys(CKM_API_SUCCESS);
229 // MJK, it's counter-intuitive: Disabled does not mean
230 // that CC mode is disabled, but that device
231 // self-test failed "device DISABLED"
232 read_keys(CKM_API_ERROR_BAD_REQUEST);
234 mdpp.set("whatever");
236 read_keys(CKM_API_SUCCESS);
240 read_keys(CKM_API_ERROR_BAD_REQUEST);
244 read_keys(CKM_API_ERROR_BAD_REQUEST);
248 read_keys(CKM_API_SUCCESS);
250 mdpp.set("whatever");
252 read_keys(CKM_API_SUCCESS);
256 read_keys(CKM_API_ERROR_BAD_REQUEST);
259 // when listener is started with mdpp key unset it should not update mdpp status in ckm
260 RUNNER_TEST(TCC_0030_noCallbackRegistered)
262 // restart listener without vconf callback
263 stop_service(LISTENER);
268 start_service(LISTENER);
272 read_keys(CKM_API_SUCCESS);
275 usleep(SLEEP); // give some time for notification to reach ckm
277 read_keys(CKM_API_SUCCESS);
280 // when listener is started with mdpp key set it should update mdpp status in ckm
281 RUNNER_TEST(TCC_0040_callbackRegistered)
283 // restart listener with vconf callback
284 stop_service(LISTENER);
288 start_service(LISTENER);
292 read_keys(CKM_API_ERROR_BAD_REQUEST);
294 mdpp.set("whatever");
295 usleep(SLEEP); // give some time for notification to reach ckm
296 read_keys(CKM_API_SUCCESS);
299 usleep(SLEEP); // give some time for notification to reach ckm
300 read_keys(CKM_API_ERROR_BAD_REQUEST);
303 usleep(SLEEP); // give some time for notification to reach ckm
304 read_keys(CKM_API_ERROR_BAD_REQUEST);
307 usleep(SLEEP); // give some time for notification to reach ckm
308 read_keys(CKM_API_SUCCESS);
311 usleep(SLEEP); // give some time for notification to reach ckm
312 read_keys(CKM_API_ERROR_BAD_REQUEST);
315 usleep(SLEEP); // give some time for notification to reach ckm
316 read_keys(CKM_API_SUCCESS);
319 // run ckm manually and see if it properly loads mdpp setting
320 RUNNER_TEST(TCC_0050_manualCkmDisabled)
322 restart_ckm(DISABLED);
326 read_keys(CKM_API_ERROR_BAD_REQUEST);
329 // run ckm manually and see if it properly loads mdpp setting
330 RUNNER_TEST(TCC_0060_manualCkmEnabled)
332 restart_ckm(ENABLED);
336 read_keys(CKM_API_ERROR_BAD_REQUEST);
339 // run ckm manually and see if it properly loads mdpp setting
340 RUNNER_TEST(TCC_0070_manualCkmEnforcing)
342 restart_ckm(ENFORCING);
346 read_keys(CKM_API_ERROR_BAD_REQUEST);
349 // run ckm manually and see if it properly loads mdpp setting
350 RUNNER_TEST(TCC_0075_manualCkmReady)
356 read_keys(CKM_API_SUCCESS);
359 // run ckm manually and see if it properly loads mdpp setting
360 RUNNER_TEST(TCC_0080_manualCkmWhatever)
362 restart_ckm("whatever");
366 read_keys(CKM_API_SUCCESS);
369 // run ckm manually and see if it properly loads mdpp setting
370 RUNNER_TEST(TCC_0090_manualCkmUnset)
376 read_keys(CKM_API_SUCCESS);
379 // make sure listener won't activate ckm to update mdpp
380 RUNNER_TEST(TCC_0100_listenerDoesntStartCkm)
382 stop_service(MANAGER);
383 stop_service(LISTENER);
388 start_service(LISTENER);
390 usleep(1000*1000); // by that time ckm would be already started
392 int lock = TEMP_FAILURE_RETRY(open(CKM_LOCK, O_RDWR));
393 RUNNER_ASSERT_MSG(-1 != lock, "Error in opening lock file. Errno: " << strerror(errno));
395 int ret = lockf(lock, F_TEST, 0);
397 RUNNER_ASSERT_MSG(ret == 0, "CKM lock is occupied. CKM seems to be running.");
400 RUNNER_TEST(TCC_9999_deinit)