const uid_t GROUP_APP = 5070;
const char* APP_PASS = "user-pass";
-const char *XML_DEVICE_KEY = "device_key.xml";
-
const char *XML_1_okay = "XML_1_okay.xml";
std::string XML_1_EXPECTED_KEY_1_RSA = aliasWithLabel(ckmc_owner_id_system, "test-key1");
std::string XML_1_EXPECTED_KEY_1_PASSWD = "123";
std::string XML_1_EXPECTED_CERT_1 = aliasWithLabel(ckmc_owner_id_system, "test-cert1");
std::string XML_1_EXPECTED_DATA_1 = aliasWithLabel(ckmc_owner_id_system, "test-data1");
const char *XML_1_EXPECTED_DATA_1_DATA = "My secret data";
-// encrypted
-std::string XML_1_EXPECTED_KEY_3_RSA_PRV = aliasWithLabel(ckmc_owner_id_system, "test-encryption-prv");
-std::string XML_1_EXPECTED_KEY_3_RSA_PUB = aliasWithLabel(ckmc_owner_id_system, "test-encryption-pub");
-std::string XML_1_EXPECTED_ASCII_DATA = aliasWithLabel(ckmc_owner_id_system, "test-ascii-data-encryption");
-std::string XML_1_EXPECTED_BIG_DATA = aliasWithLabel(ckmc_owner_id_system, "test-binary-data-encryption");
const char *XML_2_okay = "XML_2_okay.xml";
std::string XML_2_EXPECTED_KEY_1_RSA = aliasWithLabel(ckmc_owner_id_system, "test2-key1");
std::string XML_3_EXPECTED_CERT_1 = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
std::string XML_3_EXPECTED_DATA_1 = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
-std::string format_src_path(const char *file)
+auto format_dest_path(const char *file)
{
- return std::string(CKM_TEST_DIR) + std::string(file);
+ return std::string(CKM_RW_DATA_DIR "/initial_values/") + file;
}
-std::string format_dest_key_path(const char *file)
-{
- return std::string(CKM_RW_DATA_DIR) + std::string(file);
-}
-
-std::string format_dest_path(const char *file)
-{
- return std::string(CKM_RW_DATA_DIR) + std::string( "/initial_values/") + std::string(file);
+void test_not_exists(const char *file) {
+ const auto name = format_dest_path(file);
+ const bool file_exists = access(name.c_str(), F_OK) != -1;
+ RUNNER_ASSERT_MSG(!file_exists, "File " << name << " exists");
}
-void copy_file(const std::string &from, const std::string &to)
+void copy_file(const char *file)
{
- std::ifstream infile(from, std::ios_base::binary);
- RUNNER_ASSERT_MSG(infile, "Input file " << from << " does not exist.");
- std::ofstream outfile(to, std::ios_base::binary);
- RUNNER_ASSERT_MSG(outfile, "Output file " << to << " does not exist. Reinstall key-manager.");
+ const auto src = std::string(CKM_TEST_DIR) + file;
+ const auto dest = format_dest_path(file);
+ std::ifstream infile(src, std::ios_base::binary);
+ RUNNER_ASSERT_MSG(infile, "Input file " << src << " does not exist.");
+ std::ofstream outfile(dest, std::ios_base::binary);
+ RUNNER_ASSERT_MSG(outfile, "Output file " << dest << " does not exist. Reinstall key-manager.");
outfile << infile.rdbuf();
}
-void restart_key_manager()
+void restart_key_manager(const std::initializer_list<const char * const> files_to_copy = {})
{
stop_service(MANAGER);
+ for (const auto f : files_to_copy)
+ copy_file(f);
start_service(MANAGER);
}
-void test_exists(const std::string& name, bool expected) {
- bool file_exists = (access( name.c_str(), F_OK ) != -1);
- RUNNER_ASSERT_MSG(file_exists == expected,
- "File " << name << " status: " << file_exists <<
- " while expected: " << expected);
-}
-
-}
-
int hexToBin(char h) {
if (h >= '0' && h <= '9')
return h - '0';
return output;
}
+} // namespace
+
RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
-RUNNER_TEST_TZ_BACKEND(T6001_init)
+RUNNER_TEST(T6001_init)
{
// [prepare]
// remove database 0
// restart the key-manager
// check XML file doesn't exist
- copy_file(format_src_path(XML_DEVICE_KEY), format_dest_key_path(XML_DEVICE_KEY));
- copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
- copy_file(format_src_path(XML_2_okay), format_dest_path(XML_2_okay));
- copy_file(format_src_path(XML_3_wrong), format_dest_path(XML_3_wrong));
-
- test_exists(format_dest_path(XML_1_okay), true);
- test_exists(format_dest_path(XML_2_okay), true);
- test_exists(format_dest_path(XML_3_wrong), true);
-
- restart_key_manager();
-
- test_exists(format_dest_path(XML_1_okay), false);
- test_exists(format_dest_path(XML_2_okay), false);
- test_exists(format_dest_path(XML_3_wrong), false);
+ const auto files = {XML_1_okay, XML_2_okay, XML_3_wrong};
+ restart_key_manager(files);
+ for (const auto f : files)
+ test_not_exists(f);
}
-RUNNER_TEST_TZ_BACKEND(T6010_PARSE_XML_FILE_AT_STARTUP)
+RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP)
{
// [test1]
// check items existence as system service
}
}
-RUNNER_TEST_TZ_BACKEND(T6020_PARSE_TWO_XML_FILES_AT_STARTUP)
+RUNNER_TEST(T6020_PARSE_TWO_XML_FILES_AT_STARTUP)
{
// [test]
// check items existence as system service
check_read_allowed(XML_2_EXPECTED_DATA_1.c_str(), XML_2_EXPECTED_DATA_1_DATA);
}
-RUNNER_TEST_TZ_BACKEND(T6030_PARSE_FAIL_XML_AT_STARTUP)
+RUNNER_TEST(T6030_PARSE_FAIL_XML_AT_STARTUP)
{
// [test]
// check items existence as system service - nothing should be available
check_read_not_visible(XML_3_EXPECTED_DATA_1.c_str());
}
-RUNNER_TEST_TZ_BACKEND(T6040_CHECK_KEYS_VALID)
+RUNNER_TEST(T6040_CHECK_KEYS_VALID)
{
// [test]
// check if key can create & verify signature
ckmc_buffer_free(signature);
}
-RUNNER_TEST_TZ_BACKEND(T6050_ENCRYPTED_KEY)
-{
- // [prepare]
- // to encrypt using RSA OAEP: openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
- // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
- // [test0]
- // check if encrypted private key is present
- // check if public key is present
- // [test1]
- // extract the private, encrypted key
- // extract the public key
- // create signature using the public key
- // verify signature using the decrypted private key
-
- // [test0]
- check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(), CKMC_KEY_RSA_PRIVATE);
- check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(), CKMC_KEY_RSA_PUBLIC);
-
-
- ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
- ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
- ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
- ckmc_raw_buffer_s *signature = NULL;
- int temp;
- RUNNER_ASSERT_MSG(
- CKMC_ERROR_NONE == (temp = ckmc_create_signature(
- XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(),
- NULL,
- msg_buff,
- hash_algo,
- pad_algo,
- &signature)),
- CKMCReadableError(temp));
-
- // invalid password
- RUNNER_ASSERT_MSG(
- CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
- XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(),
- NULL,
- msg_buff,
- *signature,
- hash_algo,
- pad_algo)),
- CKMCReadableError(temp));
-
- ckmc_buffer_free(signature);
-}
-
-RUNNER_TEST_TZ_BACKEND(T6060_ENCRYPTED_ASCII_DATA)
-{
- // [prepare]
- // to encrypt using RSA OAEP: openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
- // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
- // [test0]
- // extract data
- // check if data matches the expected size and content
-
- // [test0]
- ckmc_raw_buffer_s *testData1;
- int temp;
- RUNNER_ASSERT_MSG(
- CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_ASCII_DATA.c_str(), NULL, &testData1)),
- CKMCReadableError(temp));
- size_t expected_len = 15;
- RUNNER_ASSERT_MSG(expected_len /* src/ckm/keys/EIV/ascii_data */ == testData1->size, "invalid data size");
- RUNNER_ASSERT_MSG(memcmp(reinterpret_cast<char*>(testData1->data), "My secret data\n", expected_len) == 0, "invalid data contents");
- ckmc_buffer_free(testData1);
-}
-
-RUNNER_TEST_TZ_BACKEND(T6070_ENCRYPTED_BIG_DATA)
-{
- // [prepare]
- // to encrypt using RSA OAEP: openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
- // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
- // [test0]
- // extract data
- // check if data matches the expected size
-
- // [test0]
- ckmc_raw_buffer_s *testData1;
- int temp;
- RUNNER_ASSERT_MSG(
- CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_BIG_DATA.c_str(), NULL, &testData1)),
- CKMCReadableError(temp));
- RUNNER_ASSERT_MSG(5918 /* src/ckm/keys/EIV/code.png */ == testData1->size, "invalid data size");
- ckmc_buffer_free(testData1);
-}
-
-RUNNER_TEST_TZ_BACKEND(T6999_deinit)
+RUNNER_TEST(T6999_deinit)
{
remove_user_data(0);
}
std::string messageHex = EIV_ENCRYPTED_MESSAGE_HEX;
std::string iv = EIV_MESSAGE_ENCRYPTION_IV;
- copy_file(format_src_path(EIV_TEST_XML_FILENAME), format_dest_path(EIV_TEST_XML_FILENAME));
- restart_key_manager();
+ restart_key_manager({EIV_TEST_XML_FILENAME});
CKM::CryptoAlgorithm algo;
CKM::RawBuffer messageBin = hexToBin(messageHex);
RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == EIV_PLAIN_MESSAGE, "Data does not match");
}
+RUNNER_TEST_TZ_BACKEND(T7010_Encrypted_initial_values_asymmetric, RemoveDataEnv<0>)
+{
+ restart_key_manager({EIV_TEST_ASYM_XML_FILENAME});
+ constexpr char testDataStr[] = "test-data";
+ const CKM::RawBuffer testData(testDataStr, testDataStr+sizeof(testDataStr)-1);
+ CKM::RawBuffer encrypted, decrypted, signature;
+ CKM::CryptoAlgorithm algoRsa;
+ algoRsa.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::RSA_OAEP);
+
+ auto mgr = CKM::Manager::create();
+ int temp;
+
+ #define MGR(OP, ...) do { RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->OP(__VA_ARGS__)), "Failed to " #OP " " << CKM::APICodeToString(temp)); } while (0)
+
+ const auto rsaCrypt = [&](auto pub, auto prv) {
+ MGR(encrypt, algoRsa, pub, CKM::Password(), testData, encrypted);
+ RUNNER_ASSERT_MSG(testData != encrypted, "Data not encrypted");
+ MGR(decrypt, algoRsa, prv, CKM::Password(), encrypted, decrypted);
+ RUNNER_ASSERT_MSG(testData == decrypted, "Data does not match");
+ };
+
+ rsaCrypt("/System TEI_RSA_PUB", "/System TEI_RSA_PRV");
+ rsaCrypt("/System TEI_RSA_PKCS8_PUB", "/System TEI_RSA_PKCS8_PRV");
+
+ const auto sign = [&](auto prv, auto pub, auto hash, auto pad) {
+ MGR(createSignature, prv, CKM::Password(), testData, hash, pad, signature);
+ MGR(verifySignature, pub, CKM::Password(), testData, signature, hash, pad);
+ };
+
+ constexpr auto rsaHashAlgo = CKM::HashAlgorithm::SHA512;
+ constexpr auto rsaPaddingAlgo = CKM::RSAPaddingAlgorithm::X931;
+ sign("/System TEI_RSA_PRV", "/System TEI_RSA_PUB", rsaHashAlgo, rsaPaddingAlgo);
+ sign("/System TEI_RSA_PKCS8_PRV", "/System TEI_RSA_PKCS8_PUB", rsaHashAlgo, rsaPaddingAlgo);
+ sign("/System TEI_DSA_PRV", "/System TEI_DSA_PUB", CKM::HashAlgorithm::SHA1, CKM::RSAPaddingAlgorithm::NONE);
+
+ #undef MGR
+}
+
+/* TODO
+ * - RW/RO location support (files removal, flag handling)
+ * - item overwrite
+ * - backend attribute support
+ * - independent tests
+ * - different formats (also encrypted)
+ * - complex tests using ckm-initial-values tool
+ */
projects / platform / core / test / security-tests.git / blobdiff