projects / platform / core / test / security-tests.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
CKM: Update old initial values tests
[platform/core/test/security-tests.git] / src / ckm / privileged / initial-values.cpp
1 /*
2  *  Copyright (c) 2015 - 2019 Samsung Electronics Co.
3  *
4  *  Licensed under the Apache License, Version 2.0 (the "License");
5  *  you may not use this file except in compliance with the License.
6  *  You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  *  Unless required by applicable law or agreed to in writing, software
11  *  distributed under the License is distributed on an "AS IS" BASIS,
12  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  *  See the License for the specific language governing permissions and
14  *  limitations under the License
15  *
16  * @file       system-db.cpp
17  * @author     Maciej Karpiuk (m.karpiuk2@samsung.com)
18  * @author     Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
19  * @version    1.0
20  */
21 #include <dpl/test/test_runner.h>
22 #include <dpl/test/test_runner_child.h>
23 #include <tests_common.h>
24 #include <ckm-common.h>
25 #include <ckm-privileged-common.h>
26 #include <ckm/ckm-control.h>
27 #include <ckm/ckm-manager.h>
28 #include <ckmc/ckmc-manager.h>
29 #include <access_provider2.h>
30 #include <fstream>
31 #include <ios>
32 #include <unistd.h>
33
34 namespace
35 {
36 const uid_t USER_APP            = 5070;
37 const uid_t GROUP_APP           = 5070;
38 const char* APP_PASS            = "user-pass";
39
40 const char *XML_1_okay                  = "XML_1_okay.xml";
41 std::string XML_1_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key1");
42 std::string XML_1_EXPECTED_KEY_1_PASSWD = "123";
43 std::string XML_1_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key2");
44 // uncomment when AES is supported (+ usage in the tests)
45 std::string XML_1_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test-aes1");
46 std::string XML_1_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test-cert1");
47 std::string XML_1_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test-data1");
48 const char *XML_1_EXPECTED_DATA_1_DATA  = "My secret data";
49
50 const char *XML_2_okay                  = "XML_2_okay.xml";
51 std::string XML_2_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key1");
52 std::string XML_2_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key2");
53 // uncomment when AES is supported
54 std::string XML_2_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test2-aes1");
55 std::string XML_2_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test2-cert1");
56 std::string XML_2_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test2-data1");
57 const char *XML_2_EXPECTED_DATA_1_DATA  = "My secret data";
58
59 const char *XML_3_wrong                 = "XML_3_wrong.xml";
60 std::string XML_3_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key1");
61 std::string XML_3_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key2");
62 // uncomment when AES is supported
63 std::string XML_3_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
64 std::string XML_3_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
65
66 std::string format_src_path(const char *file)
67 {
68     return std::string(CKM_TEST_DIR) + std::string(file);
69 }
70
71 std::string format_dest_path(const char *file)
72 {
73     return std::string(CKM_RW_DATA_DIR) + std::string( "/initial_values/") + std::string(file);
74 }
75
76 void copy_file(const std::string &from, const std::string &to)
77 {
78     std::ifstream infile(from, std::ios_base::binary);
79     RUNNER_ASSERT_MSG(infile, "Input file " << from << " does not exist.");
80     std::ofstream outfile(to, std::ios_base::binary);
81     RUNNER_ASSERT_MSG(outfile, "Output file " << to << " does not exist. Reinstall key-manager.");
82     outfile << infile.rdbuf();
83 }
84
85 void restart_key_manager()
86 {
87     stop_service(MANAGER);
88     start_service(MANAGER);
89 }
90
91 void test_exists(const std::string& name, bool expected) {
92     bool file_exists = (access( name.c_str(), F_OK ) != -1);
93     RUNNER_ASSERT_MSG(file_exists == expected,
94                       "File " << name << " status: " << file_exists <<
95                       " while expected: " << expected);
96 }
97
98 }
99
100 int hexToBin(char h) {
101     if (h >= '0' && h <= '9')
102         return h - '0';
103     if (h >= 'a' && h <= 'f')
104         return h - 'a' + 10;
105     if (h >= 'A' && h <= 'F')
106         return h - 'A' + 10;
107     RUNNER_ASSERT_MSG(false, "Input out of scope");
108 }
109
110 CKM::RawBuffer hexToBin(std::string &hex) {
111     CKM::RawBuffer output;
112     output.resize(hex.size()/2);
113     for (size_t i=0; i<output.size(); ++i) {
114         output[i] = hexToBin(hex[i*2])*16 +
115                     hexToBin(hex[i*2 + 1]);
116     }
117     return output;
118 }
119
120 RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
121
122 RUNNER_TEST(T6001_init)
123 {
124     // [prepare]
125     // remove database 0
126     // copy to the initial-values folder
127     // check XML file exists
128     // restart the key-manager
129     // check XML file doesn't exist
130
131     copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
132     copy_file(format_src_path(XML_2_okay), format_dest_path(XML_2_okay));
133     copy_file(format_src_path(XML_3_wrong), format_dest_path(XML_3_wrong));
134
135     test_exists(format_dest_path(XML_1_okay), true);
136     test_exists(format_dest_path(XML_2_okay), true);
137     test_exists(format_dest_path(XML_3_wrong), true);
138
139     restart_key_manager();
140
141     test_exists(format_dest_path(XML_1_okay), false);
142     test_exists(format_dest_path(XML_2_okay), false);
143     test_exists(format_dest_path(XML_3_wrong), false);
144 }
145
146 RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP)
147 {
148     // [test1]
149     // check items existence as system service
150     // [test2]
151     // check items existence as TEST_LABEL
152     // [test3]
153     // check items existence as TEST_LABEL_2
154
155     // [test1]
156     {
157         check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
158         check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
159         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
160         check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
161         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
162     }
163
164     // [test2]
165     {
166         ScopedDBUnlock unlock(USER_APP, APP_PASS);
167         ScopedAccessProvider ap(TEST_LABEL);
168         ap.applyAndSwithToUser(USER_APP, GROUP_APP);
169
170         check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
171         check_key_not_visible(XML_1_EXPECTED_KEY_2_RSA.c_str());
172         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
173         check_cert_not_visible(XML_1_EXPECTED_CERT_1.c_str());
174         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
175     }
176
177     // [test3]
178     {
179         ScopedDBUnlock unlock(USER_APP, APP_PASS);
180         ScopedAccessProvider ap(TEST_LABEL_2);
181         ap.applyAndSwithToUser(USER_APP, GROUP_APP);
182
183         check_key_not_visible(XML_1_EXPECTED_KEY_1_RSA.c_str());
184         check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
185         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
186         check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
187         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
188     }
189 }
190
191 RUNNER_TEST(T6020_PARSE_TWO_XML_FILES_AT_STARTUP)
192 {
193     // [test]
194     // check items existence as system service
195     check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
196     check_key(XML_2_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
197     check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
198     check_key_allowed(XML_2_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
199     check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
200     check_key_allowed(XML_2_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
201     check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
202     check_cert_allowed(XML_2_EXPECTED_CERT_1.c_str());
203     check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
204     check_read_allowed(XML_2_EXPECTED_DATA_1.c_str(), XML_2_EXPECTED_DATA_1_DATA);
205 }
206
207 RUNNER_TEST(T6030_PARSE_FAIL_XML_AT_STARTUP)
208 {
209     // [test]
210     // check items existence as system service - nothing should be available
211     check_key_not_visible(XML_3_EXPECTED_KEY_1_RSA.c_str());
212     check_key_not_visible(XML_3_EXPECTED_KEY_2_RSA.c_str());
213     check_cert_not_visible(XML_3_EXPECTED_CERT_1.c_str());
214     check_read_not_visible(XML_3_EXPECTED_DATA_1.c_str());
215 }
216
217 RUNNER_TEST(T6040_CHECK_KEYS_VALID)
218 {
219     // [test]
220     // check if key can create & verify signature
221     ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
222     ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
223     ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
224     ckmc_raw_buffer_s *signature = NULL;
225     int temp;
226     RUNNER_ASSERT_MSG(
227             CKMC_ERROR_NONE == (temp = ckmc_create_signature(
228                     XML_1_EXPECTED_KEY_2_RSA.c_str(),
229                     NULL,
230                     msg_buff,
231                     hash_algo,
232                     pad_algo,
233                     &signature)),
234             CKMCReadableError(temp));
235
236     // invalid password
237     RUNNER_ASSERT_MSG(
238             CKMC_ERROR_AUTHENTICATION_FAILED == (temp = ckmc_verify_signature(
239                         XML_1_EXPECTED_KEY_1_RSA.c_str(),
240                         NULL,
241                         msg_buff,
242                         *signature,
243                         hash_algo,
244                         pad_algo)),
245                 CKMCReadableError(temp));
246
247     // correct password
248     RUNNER_ASSERT_MSG(
249             CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
250                     XML_1_EXPECTED_KEY_1_RSA.c_str(),
251                     XML_1_EXPECTED_KEY_1_PASSWD.c_str(),
252                     msg_buff,
253                     *signature,
254                     hash_algo,
255                     pad_algo)),
256             CKMCReadableError(temp));
257
258     ckmc_buffer_free(signature);
259 }
260
261 RUNNER_TEST(T6999_deinit)
262 {
263     remove_user_data(0);
264 }
265
266 RUNNER_TEST_TZ_BACKEND(T7000_Encrypted_initial_values, RemoveDataEnv<0>)
267 {
268     int temp;
269     std::string messageHex = EIV_ENCRYPTED_MESSAGE_HEX;
270     std::string iv         = EIV_MESSAGE_ENCRYPTION_IV;
271
272     copy_file(format_src_path(EIV_TEST_XML_FILENAME), format_dest_path(EIV_TEST_XML_FILENAME));
273     restart_key_manager();
274
275     CKM::CryptoAlgorithm algo;
276     CKM::RawBuffer messageBin = hexToBin(messageHex);
277     CKM::RawBuffer ivBin(iv.begin(), iv.end());
278     CKM::RawBuffer decrypted;
279
280     algo.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::AES_CBC);
281     algo.setParam(CKM::ParamName::ED_IV, ivBin);
282
283     auto mgr = CKM::Manager::create();
284     RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->decrypt(algo, "/System TEI_0", CKM::Password(), messageBin, decrypted)), "Failed to decrypt " << CKM::APICodeToString(temp));
285     RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == EIV_PLAIN_MESSAGE, "Data does not match");
286 }
287
288 /* TODO
289  * - RW/RO location support (files removal, flag handling)
290  * - item overwrite
291  * - backend attribute support
292  * - independent tests
293  * - different formats (also encrypted)
294  * - complex tests using ckm-initial-values tool
295  */
Domain: Security / Uncategorized;