2 * Copyright (c) 2015 - 2019 Samsung Electronics Co.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @author Maciej Karpiuk (m.karpiuk2@samsung.com)
18 * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
21 #include <dpl/test/test_runner.h>
22 #include <dpl/test/test_runner_child.h>
23 #include <tests_common.h>
24 #include <ckm-common.h>
25 #include <ckm-privileged-common.h>
26 #include <ckm/ckm-control.h>
27 #include <ckm/ckm-manager.h>
28 #include <ckmc/ckmc-manager.h>
29 #include <access_provider2.h>
36 const uid_t USER_APP = 5070;
37 const uid_t GROUP_APP = 5070;
38 const char* APP_PASS = "user-pass";
40 const char *XML_DEVICE_KEY = "device_key.xml";
42 const char *XML_1_okay = "XML_1_okay.xml";
43 std::string XML_1_EXPECTED_KEY_1_RSA = aliasWithLabel(ckmc_owner_id_system, "test-key1");
44 std::string XML_1_EXPECTED_KEY_1_PASSWD = "123";
45 std::string XML_1_EXPECTED_KEY_2_RSA = aliasWithLabel(ckmc_owner_id_system, "test-key2");
46 // uncomment when AES is supported (+ usage in the tests)
47 std::string XML_1_EXPECTED_KEY_3_AES = aliasWithLabel(ckmc_owner_id_system, "test-aes1");
48 std::string XML_1_EXPECTED_CERT_1 = aliasWithLabel(ckmc_owner_id_system, "test-cert1");
49 std::string XML_1_EXPECTED_DATA_1 = aliasWithLabel(ckmc_owner_id_system, "test-data1");
50 const char *XML_1_EXPECTED_DATA_1_DATA = "My secret data";
52 std::string XML_1_EXPECTED_KEY_3_RSA_PRV = aliasWithLabel(ckmc_owner_id_system, "test-encryption-prv");
53 std::string XML_1_EXPECTED_KEY_3_RSA_PUB = aliasWithLabel(ckmc_owner_id_system, "test-encryption-pub");
54 std::string XML_1_EXPECTED_ASCII_DATA = aliasWithLabel(ckmc_owner_id_system, "test-ascii-data-encryption");
55 std::string XML_1_EXPECTED_BIG_DATA = aliasWithLabel(ckmc_owner_id_system, "test-binary-data-encryption");
57 const char *XML_2_okay = "XML_2_okay.xml";
58 std::string XML_2_EXPECTED_KEY_1_RSA = aliasWithLabel(ckmc_owner_id_system, "test2-key1");
59 std::string XML_2_EXPECTED_KEY_2_RSA = aliasWithLabel(ckmc_owner_id_system, "test2-key2");
60 // uncomment when AES is supported
61 std::string XML_2_EXPECTED_KEY_3_AES = aliasWithLabel(ckmc_owner_id_system, "test2-aes1");
62 std::string XML_2_EXPECTED_CERT_1 = aliasWithLabel(ckmc_owner_id_system, "test2-cert1");
63 std::string XML_2_EXPECTED_DATA_1 = aliasWithLabel(ckmc_owner_id_system, "test2-data1");
64 const char *XML_2_EXPECTED_DATA_1_DATA = "My secret data";
66 const char *XML_3_wrong = "XML_3_wrong.xml";
67 std::string XML_3_EXPECTED_KEY_1_RSA = aliasWithLabel(ckmc_owner_id_system, "test3-key1");
68 std::string XML_3_EXPECTED_KEY_2_RSA = aliasWithLabel(ckmc_owner_id_system, "test3-key2");
69 // uncomment when AES is supported
70 std::string XML_3_EXPECTED_CERT_1 = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
71 std::string XML_3_EXPECTED_DATA_1 = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
73 std::string format_src_path(const char *file)
75 return std::string(CKM_TEST_DIR) + std::string(file);
78 std::string format_dest_key_path(const char *file)
80 return std::string(CKM_RW_DATA_DIR) + std::string(file);
83 std::string format_dest_path(const char *file)
85 return std::string(CKM_RW_DATA_DIR) + std::string( "/initial_values/") + std::string(file);
88 void copy_file(const std::string &from, const std::string &to)
90 std::ifstream infile(from, std::ios_base::binary);
91 RUNNER_ASSERT_MSG(infile, "Input file " << from << " does not exist.");
92 std::ofstream outfile(to, std::ios_base::binary);
93 RUNNER_ASSERT_MSG(outfile, "Output file " << to << " does not exist. Reinstall key-manager.");
94 outfile << infile.rdbuf();
97 void restart_key_manager()
99 stop_service(MANAGER);
100 start_service(MANAGER);
103 void test_exists(const std::string& name, bool expected) {
104 bool file_exists = (access( name.c_str(), F_OK ) != -1);
105 RUNNER_ASSERT_MSG(file_exists == expected,
106 "File " << name << " status: " << file_exists <<
107 " while expected: " << expected);
112 int hexToBin(char h) {
113 if (h >= '0' && h <= '9')
115 if (h >= 'a' && h <= 'f')
117 if (h >= 'A' && h <= 'F')
119 RUNNER_ASSERT_MSG(false, "Input out of scope");
122 CKM::RawBuffer hexToBin(std::string &hex) {
123 CKM::RawBuffer output;
124 output.resize(hex.size()/2);
125 for (size_t i=0; i<output.size(); ++i) {
126 output[i] = hexToBin(hex[i*2])*16 +
127 hexToBin(hex[i*2 + 1]);
132 RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
134 RUNNER_TEST_TZ_BACKEND(T6001_init)
138 // copy to the initial-values folder
139 // check XML file exists
140 // restart the key-manager
141 // check XML file doesn't exist
143 copy_file(format_src_path(XML_DEVICE_KEY), format_dest_key_path(XML_DEVICE_KEY));
144 copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
145 copy_file(format_src_path(XML_2_okay), format_dest_path(XML_2_okay));
146 copy_file(format_src_path(XML_3_wrong), format_dest_path(XML_3_wrong));
148 test_exists(format_dest_path(XML_1_okay), true);
149 test_exists(format_dest_path(XML_2_okay), true);
150 test_exists(format_dest_path(XML_3_wrong), true);
152 restart_key_manager();
154 test_exists(format_dest_path(XML_1_okay), false);
155 test_exists(format_dest_path(XML_2_okay), false);
156 test_exists(format_dest_path(XML_3_wrong), false);
159 RUNNER_TEST_TZ_BACKEND(T6010_PARSE_XML_FILE_AT_STARTUP)
162 // check items existence as system service
164 // check items existence as TEST_LABEL
166 // check items existence as TEST_LABEL_2
170 check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
171 check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
172 check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
173 check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
174 check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
179 ScopedDBUnlock unlock(USER_APP, APP_PASS);
180 ScopedAccessProvider ap(TEST_LABEL);
181 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
183 check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
184 check_key_not_visible(XML_1_EXPECTED_KEY_2_RSA.c_str());
185 check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
186 check_cert_not_visible(XML_1_EXPECTED_CERT_1.c_str());
187 check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
192 ScopedDBUnlock unlock(USER_APP, APP_PASS);
193 ScopedAccessProvider ap(TEST_LABEL_2);
194 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
196 check_key_not_visible(XML_1_EXPECTED_KEY_1_RSA.c_str());
197 check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
198 check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
199 check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
200 check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
204 RUNNER_TEST_TZ_BACKEND(T6020_PARSE_TWO_XML_FILES_AT_STARTUP)
207 // check items existence as system service
208 check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
209 check_key(XML_2_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
210 check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
211 check_key_allowed(XML_2_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
212 check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
213 check_key_allowed(XML_2_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
214 check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
215 check_cert_allowed(XML_2_EXPECTED_CERT_1.c_str());
216 check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
217 check_read_allowed(XML_2_EXPECTED_DATA_1.c_str(), XML_2_EXPECTED_DATA_1_DATA);
220 RUNNER_TEST_TZ_BACKEND(T6030_PARSE_FAIL_XML_AT_STARTUP)
223 // check items existence as system service - nothing should be available
224 check_key_not_visible(XML_3_EXPECTED_KEY_1_RSA.c_str());
225 check_key_not_visible(XML_3_EXPECTED_KEY_2_RSA.c_str());
226 check_cert_not_visible(XML_3_EXPECTED_CERT_1.c_str());
227 check_read_not_visible(XML_3_EXPECTED_DATA_1.c_str());
230 RUNNER_TEST_TZ_BACKEND(T6040_CHECK_KEYS_VALID)
233 // check if key can create & verify signature
234 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
235 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
236 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
237 ckmc_raw_buffer_s *signature = NULL;
240 CKMC_ERROR_NONE == (temp = ckmc_create_signature(
241 XML_1_EXPECTED_KEY_2_RSA.c_str(),
247 CKMCReadableError(temp));
251 CKMC_ERROR_AUTHENTICATION_FAILED == (temp = ckmc_verify_signature(
252 XML_1_EXPECTED_KEY_1_RSA.c_str(),
258 CKMCReadableError(temp));
262 CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
263 XML_1_EXPECTED_KEY_1_RSA.c_str(),
264 XML_1_EXPECTED_KEY_1_PASSWD.c_str(),
269 CKMCReadableError(temp));
271 ckmc_buffer_free(signature);
274 RUNNER_TEST_TZ_BACKEND(T6050_ENCRYPTED_KEY)
277 // to encrypt using RSA OAEP: openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
278 // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
280 // check if encrypted private key is present
281 // check if public key is present
283 // extract the private, encrypted key
284 // extract the public key
285 // create signature using the public key
286 // verify signature using the decrypted private key
289 check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(), CKMC_KEY_RSA_PRIVATE);
290 check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(), CKMC_KEY_RSA_PUBLIC);
293 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
294 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
295 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
296 ckmc_raw_buffer_s *signature = NULL;
299 CKMC_ERROR_NONE == (temp = ckmc_create_signature(
300 XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(),
306 CKMCReadableError(temp));
310 CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
311 XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(),
317 CKMCReadableError(temp));
319 ckmc_buffer_free(signature);
322 RUNNER_TEST_TZ_BACKEND(T6060_ENCRYPTED_ASCII_DATA)
325 // to encrypt using RSA OAEP: openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
326 // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
329 // check if data matches the expected size and content
332 ckmc_raw_buffer_s *testData1;
335 CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_ASCII_DATA.c_str(), NULL, &testData1)),
336 CKMCReadableError(temp));
337 size_t expected_len = 15;
338 RUNNER_ASSERT_MSG(expected_len /* src/ckm/keys/EIV/ascii_data */ == testData1->size, "invalid data size");
339 RUNNER_ASSERT_MSG(memcmp(reinterpret_cast<char*>(testData1->data), "My secret data\n", expected_len) == 0, "invalid data contents");
340 ckmc_buffer_free(testData1);
343 RUNNER_TEST_TZ_BACKEND(T6070_ENCRYPTED_BIG_DATA)
346 // to encrypt using RSA OAEP: openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
347 // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
350 // check if data matches the expected size
353 ckmc_raw_buffer_s *testData1;
356 CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_BIG_DATA.c_str(), NULL, &testData1)),
357 CKMCReadableError(temp));
358 RUNNER_ASSERT_MSG(5918 /* src/ckm/keys/EIV/code.png */ == testData1->size, "invalid data size");
359 ckmc_buffer_free(testData1);
362 RUNNER_TEST_TZ_BACKEND(T6999_deinit)
367 RUNNER_TEST_TZ_BACKEND(T7000_Encrypted_initial_values, RemoveDataEnv<0>)
370 std::string messageHex = EIV_ENCRYPTED_MESSAGE_HEX;
371 std::string iv = EIV_MESSAGE_ENCRYPTION_IV;
373 copy_file(format_src_path(EIV_TEST_XML_FILENAME), format_dest_path(EIV_TEST_XML_FILENAME));
374 restart_key_manager();
376 CKM::CryptoAlgorithm algo;
377 CKM::RawBuffer messageBin = hexToBin(messageHex);
378 CKM::RawBuffer ivBin(iv.begin(), iv.end());
379 CKM::RawBuffer decrypted;
381 algo.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::AES_CBC);
382 algo.setParam(CKM::ParamName::ED_IV, ivBin);
384 auto mgr = CKM::Manager::create();
385 RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->decrypt(algo, "/System TEI_0", CKM::Password(), messageBin, decrypted)), "Failed to decrypt " << CKM::APICodeToString(temp));
386 RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == EIV_PLAIN_MESSAGE, "Data does not match");