src/ckm/privileged/initial-values.cpp

   1 /*
   2  *  Copyright (c) 2015 - 2019 Samsung Electronics Co.
   3  *
   4  *  Licensed under the Apache License, Version 2.0 (the "License");
   5  *  you may not use this file except in compliance with the License.
   6  *  You may obtain a copy of the License at
   7  *
   8  *      http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *  Unless required by applicable law or agreed to in writing, software
  11  *  distributed under the License is distributed on an "AS IS" BASIS,
  12  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *  See the License for the specific language governing permissions and
  14  *  limitations under the License
  15  *
  16  * @file       system-db.cpp
  17  * @author     Maciej Karpiuk (m.karpiuk2@samsung.com)
  18  * @author     Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
  19  * @version    1.0
  20  */
  21 #include <dpl/test/test_runner.h>
  22 #include <dpl/test/test_runner_child.h>
  23 #include <tests_common.h>
  24 #include <ckm-common.h>
  25 #include <ckm-privileged-common.h>
  26 #include <ckm/ckm-control.h>
  27 #include <ckm/ckm-manager.h>
  28 #include <ckmc/ckmc-manager.h>
  29 #include <access_provider2.h>
  30 #include <fstream>
  31 #include <ios>
  32 #include <unistd.h>
  33
  34 namespace
  35 {
  36 const uid_t USER_APP            = 5070;
  37 const uid_t GROUP_APP           = 5070;
  38 const char* APP_PASS            = "user-pass";
  39
  40 const char *XML_DEVICE_KEY              = "device_key.xml";
  41
  42 const char *XML_1_okay                  = "XML_1_okay.xml";
  43 std::string XML_1_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key1");
  44 std::string XML_1_EXPECTED_KEY_1_PASSWD = "123";
  45 std::string XML_1_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key2");
  46 // uncomment when AES is supported (+ usage in the tests)
  47 std::string XML_1_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test-aes1");
  48 std::string XML_1_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test-cert1");
  49 std::string XML_1_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test-data1");
  50 const char *XML_1_EXPECTED_DATA_1_DATA  = "My secret data";
  51 // encrypted
  52 std::string XML_1_EXPECTED_KEY_3_RSA_PRV    = aliasWithLabel(ckmc_owner_id_system, "test-encryption-prv");
  53 std::string XML_1_EXPECTED_KEY_3_RSA_PUB    = aliasWithLabel(ckmc_owner_id_system, "test-encryption-pub");
  54 std::string XML_1_EXPECTED_ASCII_DATA       = aliasWithLabel(ckmc_owner_id_system, "test-ascii-data-encryption");
  55 std::string XML_1_EXPECTED_BIG_DATA         = aliasWithLabel(ckmc_owner_id_system, "test-binary-data-encryption");
  56
  57 const char *XML_2_okay                  = "XML_2_okay.xml";
  58 std::string XML_2_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key1");
  59 std::string XML_2_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key2");
  60 // uncomment when AES is supported
  61 std::string XML_2_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test2-aes1");
  62 std::string XML_2_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test2-cert1");
  63 std::string XML_2_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test2-data1");
  64 const char *XML_2_EXPECTED_DATA_1_DATA  = "My secret data";
  65
  66 const char *XML_3_wrong                 = "XML_3_wrong.xml";
  67 std::string XML_3_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key1");
  68 std::string XML_3_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key2");
  69 // uncomment when AES is supported
  70 std::string XML_3_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
  71 std::string XML_3_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
  72
  73 std::string format_src_path(const char *file)
  74 {
  75     return std::string(CKM_TEST_DIR) + std::string(file);
  76 }
  77
  78 std::string format_dest_key_path(const char *file)
  79 {
  80     return std::string(CKM_RW_DATA_DIR) + std::string(file);
  81 }
  82
  83 std::string format_dest_path(const char *file)
  84 {
  85     return std::string(CKM_RW_DATA_DIR) + std::string( "/initial_values/") + std::string(file);
  86 }
  87
  88 void copy_file(const std::string &from, const std::string &to)
  89 {
  90     std::ifstream infile(from, std::ios_base::binary);
  91     RUNNER_ASSERT_MSG(infile, "Input file " << from << " does not exist.");
  92     std::ofstream outfile(to, std::ios_base::binary);
  93     RUNNER_ASSERT_MSG(outfile, "Output file " << to << " does not exist. Reinstall key-manager.");
  94     outfile << infile.rdbuf();
  95 }
  96
  97 void restart_key_manager()
  98 {
  99     stop_service(MANAGER);
 100     start_service(MANAGER);
 101 }
 102
 103 void test_exists(const std::string& name, bool expected) {
 104     bool file_exists = (access( name.c_str(), F_OK ) != -1);
 105     RUNNER_ASSERT_MSG(file_exists == expected,
 106                       "File " << name << " status: " << file_exists <<
 107                       " while expected: " << expected);
 108 }
 109
 110 }
 111
 112 int hexToBin(char h) {
 113     if (h >= '0' && h <= '9')
 114         return h - '0';
 115     if (h >= 'a' && h <= 'f')
 116         return h - 'a' + 10;
 117     if (h >= 'A' && h <= 'F')
 118         return h - 'A' + 10;
 119     RUNNER_ASSERT_MSG(false, "Input out of scope");
 120 }
 121
 122 CKM::RawBuffer hexToBin(std::string &hex) {
 123     CKM::RawBuffer output;
 124     output.resize(hex.size()/2);
 125     for (size_t i=0; i<output.size(); ++i) {
 126         output[i] = hexToBin(hex[i*2])*16 +
 127                     hexToBin(hex[i*2 + 1]);
 128     }
 129     return output;
 130 }
 131
 132 RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
 133
 134 RUNNER_TEST_TZ_BACKEND(T6001_init)
 135 {
 136     // [prepare]
 137     // remove database 0
 138     // copy to the initial-values folder
 139     // check XML file exists
 140     // restart the key-manager
 141     // check XML file doesn't exist
 142
 143     copy_file(format_src_path(XML_DEVICE_KEY), format_dest_key_path(XML_DEVICE_KEY));
 144     copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
 145     copy_file(format_src_path(XML_2_okay), format_dest_path(XML_2_okay));
 146     copy_file(format_src_path(XML_3_wrong), format_dest_path(XML_3_wrong));
 147
 148     test_exists(format_dest_path(XML_1_okay), true);
 149     test_exists(format_dest_path(XML_2_okay), true);
 150     test_exists(format_dest_path(XML_3_wrong), true);
 151
 152     restart_key_manager();
 153
 154     test_exists(format_dest_path(XML_1_okay), false);
 155     test_exists(format_dest_path(XML_2_okay), false);
 156     test_exists(format_dest_path(XML_3_wrong), false);
 157 }
 158
 159 RUNNER_TEST_TZ_BACKEND(T6010_PARSE_XML_FILE_AT_STARTUP)
 160 {
 161     // [test1]
 162     // check items existence as system service
 163     // [test2]
 164     // check items existence as TEST_LABEL
 165     // [test3]
 166     // check items existence as TEST_LABEL_2
 167
 168     // [test1]
 169     {
 170         check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 171         check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 172         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 173         check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 174         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 175     }
 176
 177     // [test2]
 178     {
 179         ScopedDBUnlock unlock(USER_APP, APP_PASS);
 180         ScopedAccessProvider ap(TEST_LABEL);
 181         ap.applyAndSwithToUser(USER_APP, GROUP_APP);
 182
 183         check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 184         check_key_not_visible(XML_1_EXPECTED_KEY_2_RSA.c_str());
 185         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 186         check_cert_not_visible(XML_1_EXPECTED_CERT_1.c_str());
 187         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 188     }
 189
 190     // [test3]
 191     {
 192         ScopedDBUnlock unlock(USER_APP, APP_PASS);
 193         ScopedAccessProvider ap(TEST_LABEL_2);
 194         ap.applyAndSwithToUser(USER_APP, GROUP_APP);
 195
 196         check_key_not_visible(XML_1_EXPECTED_KEY_1_RSA.c_str());
 197         check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 198         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 199         check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 200         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 201     }
 202 }
 203
 204 RUNNER_TEST_TZ_BACKEND(T6020_PARSE_TWO_XML_FILES_AT_STARTUP)
 205 {
 206     // [test]
 207     // check items existence as system service
 208     check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 209     check_key(XML_2_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 210     check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 211     check_key_allowed(XML_2_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 212     check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 213     check_key_allowed(XML_2_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 214     check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 215     check_cert_allowed(XML_2_EXPECTED_CERT_1.c_str());
 216     check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 217     check_read_allowed(XML_2_EXPECTED_DATA_1.c_str(), XML_2_EXPECTED_DATA_1_DATA);
 218 }
 219
 220 RUNNER_TEST_TZ_BACKEND(T6030_PARSE_FAIL_XML_AT_STARTUP)
 221 {
 222     // [test]
 223     // check items existence as system service - nothing should be available
 224     check_key_not_visible(XML_3_EXPECTED_KEY_1_RSA.c_str());
 225     check_key_not_visible(XML_3_EXPECTED_KEY_2_RSA.c_str());
 226     check_cert_not_visible(XML_3_EXPECTED_CERT_1.c_str());
 227     check_read_not_visible(XML_3_EXPECTED_DATA_1.c_str());
 228 }
 229
 230 RUNNER_TEST_TZ_BACKEND(T6040_CHECK_KEYS_VALID)
 231 {
 232     // [test]
 233     // check if key can create & verify signature
 234     ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
 235     ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
 236     ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
 237     ckmc_raw_buffer_s *signature = NULL;
 238     int temp;
 239     RUNNER_ASSERT_MSG(
 240             CKMC_ERROR_NONE == (temp = ckmc_create_signature(
 241                     XML_1_EXPECTED_KEY_2_RSA.c_str(),
 242                     NULL,
 243                     msg_buff,
 244                     hash_algo,
 245                     pad_algo,
 246                     &signature)),
 247             CKMCReadableError(temp));
 248
 249     // invalid password
 250     RUNNER_ASSERT_MSG(
 251             CKMC_ERROR_AUTHENTICATION_FAILED == (temp = ckmc_verify_signature(
 252                         XML_1_EXPECTED_KEY_1_RSA.c_str(),
 253                         NULL,
 254                         msg_buff,
 255                         *signature,
 256                         hash_algo,
 257                         pad_algo)),
 258                 CKMCReadableError(temp));
 259
 260     // correct password
 261     RUNNER_ASSERT_MSG(
 262             CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
 263                     XML_1_EXPECTED_KEY_1_RSA.c_str(),
 264                     XML_1_EXPECTED_KEY_1_PASSWD.c_str(),
 265                     msg_buff,
 266                     *signature,
 267                     hash_algo,
 268                     pad_algo)),
 269             CKMCReadableError(temp));
 270
 271     ckmc_buffer_free(signature);
 272 }
 273
 274 RUNNER_TEST_TZ_BACKEND(T6050_ENCRYPTED_KEY)
 275 {
 276     // [prepare]
 277     // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
 278     // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
 279     // [test0]
 280     // check if encrypted private key is present
 281     // check if public key is present
 282     // [test1]
 283     // extract the private, encrypted key
 284     // extract the public key
 285     // create signature using the public key
 286     // verify signature using the decrypted private key
 287
 288     // [test0]
 289     check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(), CKMC_KEY_RSA_PRIVATE);
 290     check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(), CKMC_KEY_RSA_PUBLIC);
 291
 292
 293     ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
 294     ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
 295     ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
 296     ckmc_raw_buffer_s *signature = NULL;
 297     int temp;
 298     RUNNER_ASSERT_MSG(
 299             CKMC_ERROR_NONE == (temp = ckmc_create_signature(
 300                     XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(),
 301                     NULL,
 302                     msg_buff,
 303                     hash_algo,
 304                     pad_algo,
 305                     &signature)),
 306             CKMCReadableError(temp));
 307
 308     // invalid password
 309     RUNNER_ASSERT_MSG(
 310             CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
 311                         XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(),
 312                         NULL,
 313                         msg_buff,
 314                         *signature,
 315                         hash_algo,
 316                         pad_algo)),
 317                 CKMCReadableError(temp));
 318
 319     ckmc_buffer_free(signature);
 320 }
 321
 322 RUNNER_TEST_TZ_BACKEND(T6060_ENCRYPTED_ASCII_DATA)
 323 {
 324     // [prepare]
 325     // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
 326     // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
 327     // [test0]
 328     // extract data
 329     // check if data matches the expected size and content
 330
 331     // [test0]
 332     ckmc_raw_buffer_s *testData1;
 333     int temp;
 334     RUNNER_ASSERT_MSG(
 335             CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_ASCII_DATA.c_str(), NULL, &testData1)),
 336             CKMCReadableError(temp));
 337     size_t expected_len = 15;
 338     RUNNER_ASSERT_MSG(expected_len /* src/ckm/keys/EIV/ascii_data */ == testData1->size, "invalid data size");
 339     RUNNER_ASSERT_MSG(memcmp(reinterpret_cast<char*>(testData1->data), "My secret data\n", expected_len) == 0, "invalid data contents");
 340     ckmc_buffer_free(testData1);
 341 }
 342
 343 RUNNER_TEST_TZ_BACKEND(T6070_ENCRYPTED_BIG_DATA)
 344 {
 345     // [prepare]
 346     // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
 347     // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
 348     // [test0]
 349     // extract data
 350     // check if data matches the expected size
 351
 352     // [test0]
 353     ckmc_raw_buffer_s *testData1;
 354     int temp;
 355     RUNNER_ASSERT_MSG(
 356             CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_BIG_DATA.c_str(), NULL, &testData1)),
 357             CKMCReadableError(temp));
 358     RUNNER_ASSERT_MSG(5918 /* src/ckm/keys/EIV/code.png */ == testData1->size, "invalid data size");
 359     ckmc_buffer_free(testData1);
 360 }
 361
 362 RUNNER_TEST_TZ_BACKEND(T6999_deinit)
 363 {
 364     remove_user_data(0);
 365 }
 366
 367 RUNNER_TEST_TZ_BACKEND(T7000_Encrypted_initial_values, RemoveDataEnv<0>)
 368 {
 369     int temp;
 370     std::string messageHex = EIV_ENCRYPTED_MESSAGE_HEX;
 371     std::string iv         = EIV_MESSAGE_ENCRYPTION_IV;
 372
 373     copy_file(format_src_path(EIV_TEST_XML_FILENAME), format_dest_path(EIV_TEST_XML_FILENAME));
 374     restart_key_manager();
 375
 376     CKM::CryptoAlgorithm algo;
 377     CKM::RawBuffer messageBin = hexToBin(messageHex);
 378     CKM::RawBuffer ivBin(iv.begin(), iv.end());
 379     CKM::RawBuffer decrypted;
 380
 381     algo.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::AES_CBC);
 382     algo.setParam(CKM::ParamName::ED_IV, ivBin);
 383
 384     auto mgr = CKM::Manager::create();
 385     RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->decrypt(algo, "/System TEI_0", CKM::Password(), messageBin, decrypted)), "Failed to decrypt " << CKM::APICodeToString(temp));
 386     RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == EIV_PLAIN_MESSAGE, "Data does not match");
 387 }
 388