2 * Copyright (c) 2000 - 2015 Samsung Electronics Co.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @author Maciej Karpiuk (m.karpiuk2@samsung.com)
20 #include <dpl/test/test_runner.h>
21 #include <tests_common.h>
22 #include <ckm-common.h>
23 #include <ckm-privileged-common.h>
24 #include <ckm/ckm-control.h>
25 #include <ckmc/ckmc-manager.h>
26 #include <ckmc/ckmc-type.h>
27 #include <access_provider2.h>
29 #include <sys/types.h>
33 const uid_t USER_SERVICE = 0;
34 const uid_t USER_SERVICE_2 = 1234;
35 const uid_t GROUP_SERVICE_2 = 1234;
36 const uid_t USER_SERVICE_MAX = 4999;
37 const uid_t GROUP_SERVICE_MAX = 4999;
38 const uid_t USER_SERVICE_FAIL = 5000;
39 const uid_t GROUP_SERVICE_FAIL = 5000;
40 const uid_t USER_APP = 5050;
41 const uid_t GROUP_APP = 5050;
42 const char* APP_PASS = "user-pass";
44 const char* TEST_ALIAS = "test-alias";
45 const char* INVALID_LABEL = "coco-jumbo";
46 const char* TEST_PASSWORD = "ckm-password";
47 std::string TEST_SYSTEM_ALIAS = sharedDatabase(TEST_ALIAS);
48 std::string TEST_SYSTEM_ALIAS_2 = sharedDatabase("test-alias-2");
50 const char* TEST_DATA =
51 "Lorem Ipsum. At vero eos et accusamus et iusto odio dignissimos ducimus "
52 "qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores "
53 "et quas molestias excepturi sint occaecati cupiditate non provident, "
54 "similique sunt in culpa qui officia deserunt mollitia animi, id est "
55 "laborum et dolorum fuga. ";
59 RUNNER_TEST_GROUP_INIT(T50_SYSTEM_DB);
61 RUNNER_TEST(T5010_CLIENT_APP_LOCKED_PRIVATE_DB)
63 RUNNER_IGNORED_MSG("This test is turn off because fix "
64 "from tizen 2.4 that unlock db with empty password");
66 // start as system service
67 // add resource to the system DB
68 // add permission to the resource to a user app
70 // switch to user app, leave DB locked
71 // try to access system DB item - expect success
74 remove_user_data(USER_APP);
75 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
76 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
80 ScopedAccessProvider ap(TEST_LABEL);
81 ap.allowAPI("key-manager::api-storage", "rw");
82 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
84 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
88 RUNNER_TEST(T5020_CLIENT_APP_ADD_TO_PRIVATE_DB)
91 // switch to user app, unlock DB
92 // when accessing private DB - owner==me
93 // try to write to private DB - expect success
94 // try to get item from private DB - expect success
98 remove_user_data(USER_APP);
99 ScopedDBUnlock unlock(USER_APP, APP_PASS);
100 ScopedAccessProvider ap(TEST_LABEL);
101 ap.allowAPI("key-manager::api-storage", "rw");
102 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
104 ScopedSaveData ssd(TEST_ALIAS, TEST_DATA);
105 check_read(TEST_ALIAS, TEST_LABEL, TEST_DATA);
109 RUNNER_TEST(T5030_CLIENT_APP_TRY_ADDING_SYSTEM_ITEM, RemoveDataEnv<0, USER_APP>)
112 // switch to user app, unlock DB
113 // try to add item to system DB - expect fail
117 ScopedDBUnlock unlock(USER_APP, APP_PASS);
118 ScopedAccessProvider ap(TEST_LABEL);
119 ap.allowAPI("key-manager::api-storage", "rw");
120 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
122 save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
123 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
127 RUNNER_TEST(T5031_CLIENT_APP_ACCESS_WITH_PERMISSION, RemoveDataEnv<0, USER_APP>)
130 // start as system service
131 // add resource to the system DB
132 // add permission to the resource to a user app
134 // switch to user app, unlock DB
135 // try to access the system item - expect success
137 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
138 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
142 ScopedDBUnlock unlock(USER_APP, APP_PASS);
143 ScopedAccessProvider ap(TEST_LABEL);
144 ap.allowAPI("key-manager::api-storage", "rw");
145 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
147 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
151 RUNNER_TEST(T5032_CLIENT_APP_ACCESS_NO_PERMISSION, RemoveDataEnv<0, USER_APP>)
154 // start as system service
155 // add resource to the system DB
157 // switch to user app, unlock DB
158 // try to access the system item - expect fail
161 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
165 ScopedDBUnlock unlock(USER_APP, APP_PASS);
166 ScopedAccessProvider ap(TEST_LABEL);
167 ap.allowAPI("key-manager::api-storage", "rw");
168 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
170 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
174 RUNNER_TEST(T5033_CLIENT_APP_PERMISSION_REMOVAL, RemoveDataEnv<0, USER_APP>)
177 // start as system service
178 // add resource to the system DB
179 // add permission to the resource to a user app
181 // switch to user app, unlock DB
182 // try to access the system item - expect success
184 // as system service, remove the item (expecting to remove permission)
185 // add item again, do not add permission
187 // switch to user app, unlock DB
188 // try to access the system item - expect fail
191 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
192 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
196 ScopedDBUnlock unlock(USER_APP, APP_PASS);
197 ScopedAccessProvider ap(TEST_LABEL);
198 ap.allowAPI("key-manager::api-storage", "rw");
199 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
201 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
205 check_remove_allowed(TEST_SYSTEM_ALIAS.c_str());
209 ScopedDBUnlock unlock(USER_APP, APP_PASS);
210 ScopedAccessProvider ap(TEST_LABEL);
211 ap.allowAPI("key-manager::api-storage", "rw");
212 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
214 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
218 RUNNER_TEST(T5034_CLIENT_APP_SET_READ_ACCESS, RemoveDataEnv<0, USER_APP>)
221 // switch to user app, unlock DB
222 // try to write to private DB - expect success
223 // try to write to system DB - expect fail
227 ScopedDBUnlock unlock(USER_APP, APP_PASS);
228 ScopedAccessProvider ap(TEST_LABEL);
229 ap.allowAPI("key-manager::api-storage", "rw");
230 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
232 ScopedSaveData ssdsystem_user(TEST_ALIAS, TEST_DATA);
233 ScopedSaveData ssdsystem_system(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA, CKMC_ERROR_PERMISSION_DENIED);
234 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
238 RUNNER_TEST(T5035_CLIENT_APP_TRY_REMOVING_SYSTEM_ITEM, RemoveDataEnv<0, USER_APP>)
241 // start as system service
242 // add resource to the system DB
243 // add permission to the resource to a user app
245 // switch to user app, unlock DB
246 // try to remove item from system DB - expect fail
249 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
250 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
254 ScopedDBUnlock unlock(USER_APP, APP_PASS);
255 ScopedAccessProvider ap(TEST_LABEL);
256 ap.allowAPI("key-manager::api-storage", "rw");
257 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
259 check_remove_denied(TEST_SYSTEM_ALIAS.c_str());
263 RUNNER_TEST(T5036_CLIENT_LIST_ACCESSIBLE_ITEMS, RemoveDataEnv<0, USER_APP>)
266 // start as system service
267 // add data A to the system DB
268 // add data B to the system DB
269 // add permission to data A to a user app
271 // system service list items - expect both items to appear
273 // switch to user app, unlock DB
275 // user lists items - expect system item A and private item
278 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
279 save_data(TEST_SYSTEM_ALIAS_2.c_str(), TEST_DATA);
280 allow_access(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_READ);
283 check_alias_list({TEST_SYSTEM_ALIAS.c_str(), TEST_SYSTEM_ALIAS_2.c_str()});
287 ScopedDBUnlock unlock(USER_APP, APP_PASS);
288 ScopedAccessProvider ap(TEST_LABEL);
289 ap.allowAPI("key-manager::api-storage", "rw");
290 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
291 ScopedSaveData user_data(TEST_ALIAS, TEST_DATA);
293 check_alias_list({TEST_SYSTEM_ALIAS.c_str(),
294 aliasWithLabel(TEST_LABEL, TEST_ALIAS)});
298 RUNNER_TEST(T5037_CLIENT_APP_TRY_GENERATE_KEY_IN_SYSTEM_DB, RemoveDataEnv<USER_APP>)
301 // switch to user app, unlock DB
302 // try to generate a key in system DB - expect fail
306 ScopedDBUnlock unlock(USER_APP, APP_PASS);
307 ScopedAccessProvider ap(TEST_LABEL);
308 ap.allowAPI("key-manager::api-storage", "rw");
309 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
311 std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
312 std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
313 ckmc_policy_s policy_private_key;
314 ckmc_policy_s policy_public_key;
315 policy_private_key.password = NULL;
316 policy_private_key.extractable = 1;
317 policy_public_key.password = NULL;
318 policy_public_key.extractable = 1;
321 CKMC_ERROR_PERMISSION_DENIED ==
322 (temp = ckmc_create_key_pair_rsa(1024,
323 private_key_alias.c_str(),
324 public_key_alias.c_str(),
327 CKMCReadableError(temp));
331 RUNNER_TEST(T5038_CLIENT_SERVER_CREATE_VERIFY_SYSTEM_DB, RemoveDataEnv<0,USER_APP>)
334 // start as system service
335 // generate RSA key in system DB
337 // try to create and verify signature in system DB - expect success
339 // switch to user app, unlock DB
340 // try to create signature in system DB - expect fail
343 std::string private_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-priv");
344 std::string public_key_alias = aliasWithLabel(SYSTEM_LABEL, "sys-db-pub");
345 ckmc_policy_s policy_private_key;
346 ckmc_policy_s policy_public_key;
347 policy_private_key.password = NULL;
348 policy_private_key.extractable = 1;
349 policy_public_key.password = NULL;
350 policy_public_key.extractable = 1;
354 (temp = ckmc_create_key_pair_rsa(1024,
355 private_key_alias.c_str(),
356 public_key_alias.c_str(),
359 CKMCReadableError(temp));
363 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
364 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
365 ckmc_raw_buffer_s *signature;
366 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");
369 CKMC_ERROR_NONE == (temp = ckmc_create_signature(
370 private_key_alias.c_str(),
376 CKMCReadableError(temp));
379 CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
380 public_key_alias.c_str(),
386 CKMCReadableError(temp));
391 ScopedDBUnlock unlock(USER_APP, APP_PASS);
392 ScopedAccessProvider ap(TEST_LABEL);
393 ap.allowAPI("key-manager::api-storage", "rw");
394 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
396 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
397 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
398 ckmc_raw_buffer_s *signature;
399 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test");
402 CKMC_ERROR_DB_ALIAS_UNKNOWN == (temp = ckmc_create_signature(
403 private_key_alias.c_str(),
409 CKMCReadableError(temp));
413 RUNNER_TEST(T5039_SYSTEM_APP_SET_REMOVE_ACCESS, RemoveDataEnv<0>)
416 // start as system service
417 // add resource to the system DB
419 // add remove permission to a user app - expect fail
422 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
425 allow_access_negative(TEST_SYSTEM_ALIAS.c_str(), TEST_LABEL, CKMC_PERMISSION_REMOVE, CKMC_ERROR_INVALID_PARAMETER);
428 RUNNER_TEST(T5040_SYSTEM_SVC_ACCESS_DB, RemoveDataEnv<0>)
431 // start as system service
432 // add resource to the system DB
434 // try to access the item - expect success
437 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
440 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
443 RUNNER_TEST(T5041_SYSTEM_SVC_1234_ACCESS_DB, RemoveDataEnv<0>)
446 // start as system service
447 // add resource to the system DB
449 // switch to another system service
450 // try to access the item - expect success
453 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
457 ScopedAccessProvider ap(TEST_LABEL_2);
458 ap.allowAPI("key-manager::api-storage", "rw");
459 ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
461 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
465 RUNNER_TEST(T5042_SYSTEM_SVC_1234_ADD_ITEM_TO_DB)
468 // start as system service 1234
469 // add resource to the system DB
471 // switch to another system service
472 // try to access the item - expect success
476 ScopedAccessProvider ap(TEST_LABEL_2);
477 ap.allowAPI("key-manager::api-storage", "rw");
478 ap.applyAndSwithToUser(USER_SERVICE_2, GROUP_SERVICE_2);
481 ScopedSaveData ssd(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
482 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
486 RUNNER_TEST(T5043_SYSTEM_SVC_4999_ACCESS_DB, RemoveDataEnv<0>)
489 // start as system service
490 // add resource to the system DB
492 // switch to system service having uid maximum for system svcs
493 // try to access the item - expect success
496 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
500 ScopedAccessProvider ap(TEST_LABEL_2);
501 ap.allowAPI("key-manager::api-storage", "rw");
502 ap.applyAndSwithToUser(USER_SERVICE_MAX, GROUP_SERVICE_MAX);
504 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
508 RUNNER_TEST(T5044_SYSTEM_SVC_5000_ACCESS_DB, RemoveDataEnv<0>)
510 RUNNER_IGNORED_MSG("This test is turn off because fix "
511 "from tizen 2.4 that unlock db with empty password");
513 // start as system service
514 // add resource to the system DB
516 // switch to another, faulty system service with user-land uid==5000
517 // try to access the item - expect fail (no system service)
520 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
524 ScopedAccessProvider ap(TEST_LABEL_2);
525 ap.allowAPI("key-manager::api-storage", "rw");
526 ap.applyAndSwithToUser(USER_SERVICE_FAIL, GROUP_SERVICE_FAIL);
528 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA, CKMC_ERROR_DB_LOCKED);
532 RUNNER_TEST(T5045_SYSTEM_DB_ADD_WITH_INVALID_LABEL, RemoveDataEnv<0>)
535 // start as system service
537 // try to add item to system DB using wrong label - expect fail
538 // try to add item using explicit system label - expect success
541 save_data(aliasWithLabel(INVALID_LABEL, TEST_ALIAS).c_str(), TEST_DATA, CKMC_ERROR_INVALID_PARAMETER);
542 check_read(TEST_ALIAS, INVALID_LABEL, TEST_DATA, CKMC_ERROR_DB_ALIAS_UNKNOWN);
544 save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA);
545 check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
548 RUNNER_TEST(T5046_CLIENT_GET_ALIAS_STATUS_NO_PASSWORD, RemoveDataEnv<0>)
551 // start as system service
552 // add data A to the system DB
553 // add data B to the system DB
555 // system service list alias status - expect both items to have no password protection
558 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
559 save_data(TEST_SYSTEM_ALIAS_2.c_str(), TEST_DATA);
562 CKM::AliasPwdVector aliasPwdVector;
563 aliasPwdVector.push_back(std::make_pair(TEST_SYSTEM_ALIAS.c_str(), false));
564 aliasPwdVector.push_back(std::make_pair(TEST_SYSTEM_ALIAS_2.c_str(), false));
566 check_alias_info_list(aliasPwdVector);
569 RUNNER_TEST(T5047_CLIENT_GET_ALIAS_STATUS_PASSWORD_PROTECTED, RemoveDataEnv<0>)
572 // start as system service
573 // add data A to the system DB
574 // add data B with password protection to the system DB
575 // add data C with password protection to the system DB
577 // system service list alias status - expect: first alias - no password protection, second, third -
578 // protected with password
581 save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
582 save_data(TEST_SYSTEM_ALIAS_2.c_str(), TEST_DATA, strlen(TEST_DATA), TEST_PASSWORD);
583 save_data((TEST_SYSTEM_ALIAS_2 + "1").c_str(), TEST_DATA, strlen(TEST_DATA), TEST_PASSWORD);
586 CKM::AliasPwdVector aliasPwdVector;
587 aliasPwdVector.push_back(std::make_pair(TEST_SYSTEM_ALIAS.c_str(), false));
588 aliasPwdVector.push_back(std::make_pair(TEST_SYSTEM_ALIAS_2.c_str(), true));
589 aliasPwdVector.push_back(std::make_pair((TEST_SYSTEM_ALIAS_2 + "1").c_str(),true));
591 check_alias_info_list(aliasPwdVector);
projects / platform / core / test / security-tests.git / blob