projects / platform / core / test / security-tests.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Separate ckm-test by the need of capability
[platform/core/test/security-tests.git] / src / ckm / ckm-common.cpp
diff --git a/src/ckm/ckm-common.cpp b/src/ckm/ckm-common.cpp
index 46c0c6b..a34b0d5 100644 (file)
--- a/src/ckm/ckm-common.cpp
+++ b/src/ckm/ckm-common.cpp
@@ -19,69 +19,57 @@
  * @version    1.0
  */
 #include <string>
-
+#include <fstream>
 #include <sys/smack.h>
 #include <ckmc/ckmc-type.h>
 #include <ckm-common.h>
 #include <tests_common.h>
-#include <access_provider2.h>
 #include <ckm/ckm-control.h>
 #include <ckm/ckm-manager.h>
 #include <ckmc/ckmc-control.h>
 #include <ckmc/ckmc-manager.h>
-#include <service_manager.h>
+#include <fcntl.h>
 #include <unistd.h>
 
-const char* SERVICE[] = {
-        "central-key-manager-listener.service",
-        "central-key-manager.service" };
-
-void start_service(ServiceIdx idx)
-{
-    ServiceManager sm(SERVICE[idx]);
-    sm.startService();
-}
-
-void stop_service(ServiceIdx idx)
-{
-    ServiceManager sm(SERVICE[idx]);
-    sm.stopService();
-}
-
-
-void switch_to_storage_user(const char* label)
-{
-    AccessProvider ap(label);
-    ap.allowAPI("key-manager::api-storage", "rw");
-    ap.applyAndSwithToUser(APP_UID, APP_GID);
-}
-
-void switch_to_storage_ocsp_user(const char* label)
-{
-    AccessProvider ap(label);
-    ap.allowAPI("key-manager::api-storage", "rw");
-    ap.allowAPI("key-manager::api-ocsp", "rw");
-    ap.applyAndSwithToUser(APP_UID, APP_GID);
-}
-
-DBCleanup::~DBCleanup()
-{
-    // Let it throw. If db can't be cleared further tests are unreliable
-    CKM::ManagerShPtr mgr = CKM::Manager::create();
-    for(const auto& it:m_aliases)
-        mgr->removeAlias(it);
-    m_aliases.clear();
+const std::string SMACK_USER_APP_PREFIX = "User::App::";
+const char *SYSTEM_LABEL = ckmc_owner_id_system;
+const char *TEST_LABEL = "test_label";
+const char *TEST_LABEL_2 = "test_label_2";
+const char *TEST_LABEL_3 = "test_label_3";
+const char *TEST_LABEL_4 = "test_label_4";
+const char *TEST_LABEL_5 = "test_label_5";
+
+void generate_random(size_t random_bytes, char *output)
+{
+    RUNNER_ASSERT(random_bytes>0 && output);
+
+    std::ifstream is("/dev/urandom", std::ifstream::binary);
+    RUNNER_ASSERT_MSG(is, "Failed to read /dev/urandom");
+    is.read(output, random_bytes);
+    if(static_cast<std::streamsize>(random_bytes) != is.gcount()) {
+        RUNNER_ASSERT_MSG(false,
+                          "Not enough bytes read from /dev/urandom: " << random_bytes << "!=" <<
+                          is.gcount());
+    }
 }
 
-// returns process label
-CharPtr get_label()
-{
+std::string getLabel() {
     int ret;
-    char* my_label = NULL;
-    RUNNER_ASSERT_MSG(0 <= (ret = smack_new_label_from_self(&my_label)),
+    char* myLabel = NULL;
+    RUNNER_ASSERT_MSG(0 <= (ret = smack_new_label_from_self(&myLabel)),
                          "Failed to get smack label for self. Error: " << ret);
+    RUNNER_ASSERT_MSG(myLabel, "NULL smack label");
+    std::string result = myLabel;
+    free(myLabel);
+    return result;
+}
 
-    return CharPtr(my_label, free);
+std::string getOwnerIdFromSelf() {
+    const std::string& prefix = SMACK_USER_APP_PREFIX;
+    std::string smack = getLabel();
+    if (0 == smack.compare(0, prefix.size(), prefix))
+        return smack.substr(prefix.size(), std::string::npos);
+    return "/" + smack;
 }
 
 std::string aliasWithLabel(const char *label, const char *alias)
@@ -95,29 +83,16 @@ std::string aliasWithLabel(const char *label, const char *alias)
     return std::string(alias);
 }
 
-// changes process label
-void change_label(const char* label)
-{
-    int ret = smack_set_label_for_self(label);
-    RUNNER_ASSERT_MSG(0 == ret, "Error in smack_set_label_for_self("<<label<<"). Error: " << ret);
-}
-
-ScopedLabel::ScopedLabel(const char* label) : m_original_label(get_label())
+std::string aliasWithLabelFromSelf(const char *alias)
 {
-    change_label(label);
-}
+    std::ostringstream oss;
+    oss << getOwnerIdFromSelf() << ckmc_label_name_separator << alias;
 
-ScopedLabel::~ScopedLabel()
-{
-    /*
-     * Let it throw. If we can't restore label then remaining tests results will be
-     * unreliable anyway.
-     */
-    change_label(m_original_label.get());
+    return oss.str();
 }
 
-const char * CKMCErrorToString(int error) {
 #define ERRORDESCRIBE(name) case name: return #name
+const char * CKMCErrorToString(int error) {
     switch(error) {
         ERRORDESCRIBE(CKMC_ERROR_NONE);
         ERRORDESCRIBE(CKMC_ERROR_INVALID_PARAMETER);
@@ -140,12 +115,42 @@ const char * CKMCErrorToString(int error) {
         ERRORDESCRIBE(CKMC_ERROR_FILE_ACCESS_DENIED);
         ERRORDESCRIBE(CKMC_ERROR_NOT_EXPORTABLE);
         ERRORDESCRIBE(CKMC_ERROR_FILE_SYSTEM);
+        ERRORDESCRIBE(CKMC_ERROR_NOT_SUPPORTED);
         ERRORDESCRIBE(CKMC_ERROR_UNKNOWN);
         default: return "Error not defined";
     }
-#undef ERRORDESCRIBE
 }
 
+const char * CKMErrorToString(int error) {
+    switch (error) {
+        ERRORDESCRIBE(CKM_API_SUCCESS);
+        ERRORDESCRIBE(CKM_API_ERROR_SOCKET);
+        ERRORDESCRIBE(CKM_API_ERROR_BAD_REQUEST);
+        ERRORDESCRIBE(CKM_API_ERROR_BAD_RESPONSE);
+        ERRORDESCRIBE(CKM_API_ERROR_SEND_FAILED);
+        ERRORDESCRIBE(CKM_API_ERROR_RECV_FAILED);
+        ERRORDESCRIBE(CKM_API_ERROR_AUTHENTICATION_FAILED);
+        ERRORDESCRIBE(CKM_API_ERROR_INPUT_PARAM);
+        ERRORDESCRIBE(CKM_API_ERROR_BUFFER_TOO_SMALL);
+        ERRORDESCRIBE(CKM_API_ERROR_OUT_OF_MEMORY);
+        ERRORDESCRIBE(CKM_API_ERROR_ACCESS_DENIED);
+        ERRORDESCRIBE(CKM_API_ERROR_SERVER_ERROR);
+        ERRORDESCRIBE(CKM_API_ERROR_DB_LOCKED);
+        ERRORDESCRIBE(CKM_API_ERROR_DB_ERROR);
+        ERRORDESCRIBE(CKM_API_ERROR_DB_ALIAS_EXISTS);
+        ERRORDESCRIBE(CKM_API_ERROR_DB_ALIAS_UNKNOWN);
+        ERRORDESCRIBE(CKM_API_ERROR_VERIFICATION_FAILED);
+        ERRORDESCRIBE(CKM_API_ERROR_INVALID_FORMAT);
+        ERRORDESCRIBE(CKM_API_ERROR_FILE_ACCESS_DENIED);
+        ERRORDESCRIBE(CKM_API_ERROR_NOT_EXPORTABLE);
+        ERRORDESCRIBE(CKM_API_ERROR_FILE_SYSTEM);
+        ERRORDESCRIBE(CKM_API_ERROR_NOT_SUPPORTED);
+        ERRORDESCRIBE(CKM_API_ERROR_UNKNOWN);
+        default: return "Error not defined";
+    }
+}
+#undef ERRORDESCRIBE
+
 std::string CKMCReadableError(int error) {
     std::string output("Error: ");
     output += std::to_string(error);
@@ -156,12 +161,17 @@ std::string CKMCReadableError(int error) {
 
 void save_data(const char* alias, const char *data, int expected_err)
 {
+    save_data(alias, data, strlen(data), expected_err);
+}
+
+void save_data(const char* alias, const char *data, size_t len, int expected_err = CKMC_ERROR_NONE)
+{
     RUNNER_ASSERT(alias);
     RUNNER_ASSERT(data);
 
     ckmc_raw_buffer_s buffer;
     buffer.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
-    buffer.size = strlen(data);
+    buffer.size = len;
     ckmc_policy_s policy;
     policy.password = NULL;
     policy.extractable = true;
@@ -187,30 +197,6 @@ ScopedSaveData::~ScopedSaveData()
     check_remove_allowed(m_alias.c_str());
 }
 
-void GarbageCollector::save(const char* alias, const char *data, int expected_err)
-{
-    save_data(alias, data, expected_err);
-
-    if(CKMC_ERROR_NONE == expected_err)
-    {
-        save_item item;
-        item.item_alias = std::string(alias);
-        item.owner_label = std::string(get_label().get());
-        item.owner_uid = geteuid();
-        item.owner_gid = getegid();
-        m_garbage.push_back(item);
-    }
-}
-
-GarbageCollector::~GarbageCollector()
-{
-    for(auto & item : m_garbage)
-    {
-        ScopedAccessProvider ap(item.owner_label, item.owner_uid, item.owner_gid);
-        check_remove_allowed(item.item_alias.c_str());
-    }
-}
-
 ScopedDBUnlock::ScopedDBUnlock(uid_t user_id, const char* passwd) : m_uid(user_id)
 {
     int temp;
@@ -248,7 +234,11 @@ void check_remove_not_visible(const char* alias)
             << CKMCReadableError(ret));
 }
 
-void check_read(const char* alias, const char *label, const char *test_data, int expected_code)
+void check_read(const char* alias,
+                const char *label,
+                const char *test_data,
+                size_t len,
+                int expected_code)
 {
     ckmc_raw_buffer_s* buffer = NULL;
     int ret = ckmc_get_data(aliasWithLabel(label, alias).c_str(), NULL, &buffer);
@@ -260,8 +250,9 @@ void check_read(const char* alias, const char *label, const char *test_data, int
     {
         // compare data with expected
         RUNNER_ASSERT_MSG(
-                buffer->size == strlen(test_data),
-                "Extracted data length do not match expected data length (encrypted?).");
+                buffer->size == len,
+                "Extracted data length do not match expected data length (encrypted?):" <<
+                buffer->size << "!=" << len);
 
         RUNNER_ASSERT_MSG(
                 memcmp(const_cast<const char*>(reinterpret_cast<char*>(buffer->data)),
@@ -272,6 +263,11 @@ void check_read(const char* alias, const char *label, const char *test_data, int
     }
 }
 
+void check_read(const char* alias, const char *label, const char *test_data, int expected_code)
+{
+    check_read(alias, label, test_data, strlen(test_data), expected_code);
+}
+
 void check_read_allowed(const char* alias, const char *data)
 {
     // try to read previously saved data - label taken implicitly
@@ -285,11 +281,51 @@ void check_read_not_visible(const char* alias)
         ckmc_raw_buffer_s* buffer = NULL;
         int ret = ckmc_get_data(alias, NULL, &buffer);
         RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == ret,
-                            "App with different label shouldn't have rights to see this data." << CKMCErrorToString(ret));
+                            "App with different label shouldn't have rights to see this data. " << CKMCErrorToString(ret));
         ckmc_buffer_free(buffer);
     }
 }
 
+void check_key(const char *alias, int expected_error, ckmc_key_type_e expected_type)
+{
+    ckmc_key_s *test_key = NULL;
+    int temp = ckmc_get_key(alias, 0, &test_key);
+    RUNNER_ASSERT_MSG(
+            expected_error == temp,
+            "received: " << CKMCReadableError(temp) << " while expected: " << CKMCReadableError(expected_error));
+    if(expected_type != CKMC_KEY_NONE)
+    {
+        RUNNER_ASSERT_MSG(
+                test_key->key_type == expected_type,
+                "received type: " << test_key->key_type << " while expected type: " << expected_type);
+    }
+    ckmc_key_free(test_key);
+}
+void check_key_allowed(const char *alias, ckmc_key_type_e expected_type)
+{
+    check_key(alias, CKMC_ERROR_NONE, expected_type);
+}
+void check_key_not_visible(const char *alias)
+{
+    check_key(alias, CKMC_ERROR_DB_ALIAS_UNKNOWN);
+}
+void check_cert_allowed(const char *alias)
+{
+    ckmc_cert_s *test_cert = NULL;
+    int temp = ckmc_get_cert(alias, 0, &test_cert);
+    ckmc_cert_free(test_cert);
+    RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == temp, CKMCReadableError(temp));
+
+}
+void check_cert_not_visible(const char *alias)
+{
+    ckmc_cert_s *test_cert = NULL;
+    int temp = ckmc_get_cert(alias, 0, &test_cert);
+    ckmc_cert_free(test_cert);
+    RUNNER_ASSERT_MSG(CKMC_ERROR_DB_ALIAS_UNKNOWN == temp,
+                      "App with different label shouldn't have rights to see this cert. " << CKMCErrorToString(temp));
+}
+
 void allow_access(const char* alias, const char* accessor, int permissionMask)
 {
     // data removal should revoke this access
@@ -327,7 +363,7 @@ void unlock_user_data(uid_t user_id, const char *passwd)
     int ret;
     auto control = CKM::Control::create();
     RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (ret = control->unlockUserKey(user_id, passwd)),
-                      "Error=" << CKM::ErrorToString(ret));
+                      "Error=" << CKMErrorToString(ret));
 }
 
 void remove_user_data(uid_t user_id)
@@ -386,40 +422,115 @@ size_t count_aliases(alias_type_ type, size_t minimum_initial_element_count)
         case ALIAS_DATA:
             ec = ckmc_get_data_alias_list(&aliasList);
             break;
+        default:
+            RUNNER_ASSERT_MSG(false, "Unsupported value ALIAS_KEY == " << (int)type);
     }
+
     if(ec == CKMC_ERROR_DB_ALIAS_UNKNOWN)
         return 0;
-    else if(ec==0)
-    {
-        ckmc_alias_list_s *plist = aliasList;
-        size_t return_count = 0;
-        while(plist)
-        {
-            plist = plist->next;
-            return_count ++;
-        }
-        ckmc_alias_list_all_free(aliasList);
 
-        RUNNER_ASSERT_MSG(
-                return_count >= minimum_initial_element_count,
-                "Error: alias list failed, current element count: " << return_count <<
-                " while expected minimal count of " << minimum_initial_element_count <<
-                " elements");
+    RUNNER_ASSERT_MSG(ec == CKMC_ERROR_NONE,
+                      "Error: alias list failed, ec: " << CKMCErrorToString(ec));
 
-        return return_count;
-    }
-    else
+    ckmc_alias_list_s *plist = aliasList;
+    size_t return_count = 0;
+    while(plist)
     {
-        // error - fail
-        RUNNER_ASSERT_MSG(
-                ec >= 0,
-                "Error: alias list failed, ec: " << CKMCErrorToString(ec));
+        plist = plist->next;
+        return_count ++;
     }
+    ckmc_alias_list_all_free(aliasList);
+
+    RUNNER_ASSERT_MSG(
+      return_count >= minimum_initial_element_count,
+      "Error: alias list failed, current element count: " << return_count <<
+      " while expected minimal count of " << minimum_initial_element_count <<
+      " elements");
 
-    return 0;
+    return return_count;
 }
 
 std::string sharedDatabase(const CKM::Alias & alias)
 {
-    return aliasWithLabel(ckmc_label_shared_owner, alias.c_str());
+    return aliasWithLabel(ckmc_owner_id_system, alias.c_str());
+}
+
+ckmc_raw_buffer_s* createRandomBufferCAPI(size_t random_bytes)
+{
+    ckmc_raw_buffer_s* buffer = NULL;
+    char* data = static_cast<char*>(malloc(random_bytes*sizeof(char)));
+    RUNNER_ASSERT(data);
+    generate_random(random_bytes, data);
+    int ret = ckmc_buffer_new(reinterpret_cast<unsigned char*>(data), random_bytes, &buffer);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Buffer creation failed: " << CKMCErrorToString(ret));
+    return buffer;
+}
+
+CKM::RawBuffer createRandomBuffer(size_t random_bytes)
+{
+    char buffer[random_bytes];
+    generate_random(random_bytes, buffer);
+    return CKM::RawBuffer(buffer, buffer + random_bytes);
+}
+
+ckmc_key_s *generate_AES_key(size_t lengthBits, const char *passwd)
+{
+    ckmc_key_s *retval = reinterpret_cast<ckmc_key_s *>(malloc(sizeof(ckmc_key_s)));
+    RUNNER_ASSERT(retval != NULL);
+
+    RUNNER_ASSERT(lengthBits%8 == 0);
+    char *char_key_AES = reinterpret_cast<char*>(malloc(lengthBits/8));
+    RUNNER_ASSERT(char_key_AES != NULL);
+    generate_random(lengthBits/8, char_key_AES);
+
+    retval->raw_key  = reinterpret_cast<unsigned char *>(char_key_AES);
+    retval->key_size = lengthBits/8;
+    retval->key_type = CKMC_KEY_AES;
+    retval->password = passwd?strdup(passwd):NULL;
+
+    return retval;
+}
+
+void validate_AES_key(ckmc_key_s *analyzed)
+{
+    RUNNER_ASSERT_MSG(analyzed, "provided key is NULL");
+    RUNNER_ASSERT_MSG(analyzed->raw_key != NULL, "provided key is empty");
+    RUNNER_ASSERT_MSG(analyzed->key_size==(128/8) ||
+                      analyzed->key_size==(192/8) ||
+                      analyzed->key_size==(256/8), "provided key length is invalid");
+    RUNNER_ASSERT_MSG(analyzed->key_type = CKMC_KEY_AES, "expected AES key, while got: " << analyzed->key_type);
+}
+
+void compare_AES_keys(ckmc_key_s *first, ckmc_key_s *second)
+{
+    validate_AES_key(first);
+    validate_AES_key(second);
+    RUNNER_ASSERT_MSG(
+        (first->key_size==second->key_size) &&
+        (memcmp(first->raw_key, second->raw_key, first->key_size)==0),
+        "data has been modified in key manager");
+    // bypassing password intentionally
+}
+
+ParamListPtr createParamListPtr()
+{
+    ckmc_param_list_h list = NULL;
+    assert_positive(ckmc_param_list_new, &list);
+    return ParamListPtr(list, ckmc_param_list_free);
+}
+
+void assert_buffers_equal(const ckmc_raw_buffer_s b1, const ckmc_raw_buffer_s b2, bool equal)
+{
+    if(equal) {
+        RUNNER_ASSERT_MSG(b1.size == b2.size, "Buffer size differs: " << b1.size << "!=" << b2.size);
+        RUNNER_ASSERT_MSG(0 == memcmp(b1.data, b2.data, b1.size), "Buffer contents differ");
+    } else {
+        RUNNER_ASSERT_MSG(b1.size != b2.size || 0 != memcmp(b1.data, b2.data, b1.size),
+                          "Buffers should be different");
+    }
+}
+
+RawBufferPtr create_raw_buffer(ckmc_raw_buffer_s* buffer)
+{
+    return RawBufferPtr(buffer, ckmc_buffer_free);
 }
Domain: Security / Uncategorized;