/*
- * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2015-2020 Samsung Electronics Co., Ltd. All rights reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
const gid_t GID = 7654;
const char *const DBPASS = "db-pass";
const char *const LABEL = "my-label";
-const Label DB_LABEL = "/" + string(LABEL);
+const ClientId OWNER = "/" + string(LABEL);
const int ENC_SCHEME_OFFSET = 24;
const string TEST_DATA_STR = "test-data";
RawBuffer TEST_DATA(TEST_DATA_STR.begin(), TEST_DATA_STR.end());
const Password TEST_PASS = "custom user password";
const size_t IV_LEN = 16;
const size_t CHAIN_LEN = 3;
+const mode_t MODE_0644 = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
enum {
NO_PASS = 0,
FdPtr sourceFdPtr(&sourceFd);
- int targetFd = TEMP_FAILURE_RETRY(creat(targetPath.c_str(), 0644));
+ int targetFd = TEMP_FAILURE_RETRY(creat(targetPath.c_str(), MODE_0644));
err = errno;
BOOST_REQUIRE_MESSAGE(targetFd > 0,
"Creating " << targetPath << " failed: " << GetErrnoString(err));
}
}
+void SchemeTest::CheckAliasInfo()
+{
+ SwitchToUser();
+ for (const auto &g : GROUPS) {
+ for (const auto &i : g.items) {
+ int ret;
+ bool encStatus = false;
+ Password pass = i.policy.password;
+
+ if (pass.empty())
+ pass = TEST_PASS;
+ else
+ pass = Password();
+
+ switch (i.type) {
+ case DataType::BINARY_DATA: {
+ ret = m_mgr->getDataEncryptionStatus(i.alias, encStatus);
+ BOOST_REQUIRE_MESSAGE(ret == CKM_API_SUCCESS,
+ "can not get data encryption status, ret: " +
+ std::to_string(ret));
+ break;
+ }
+
+ case DataType::KEY_AES:
+ case DataType::KEY_RSA_PRIVATE:
+ case DataType::KEY_RSA_PUBLIC: {
+ ret = m_mgr->getKeyEncryptionStatus(i.alias, encStatus);
+ BOOST_REQUIRE_MESSAGE(ret == CKM_API_SUCCESS,
+ "can not get key encryption status, ret: " +
+ std::to_string(ret));
+ break;
+ }
+
+ case DataType::CERTIFICATE: {
+ ret = m_mgr->getCertificateEncryptionStatus(i.alias, encStatus);
+ BOOST_REQUIRE_MESSAGE(ret == CKM_API_SUCCESS,
+ "can not get certificate encryption status, ret: " +
+ std::to_string(ret));
+ break;
+ }
+
+ case DataType::CHAIN_CERT_0: {
+ ret = m_mgr->getCertificateEncryptionStatus(i.alias, encStatus);
+ BOOST_REQUIRE_MESSAGE(ret == CKM_API_SUCCESS,
+ "can not get certificate encryption status, ret: " +
+ std::to_string(ret));
+ ret = m_mgr->getKeyEncryptionStatus(i.alias, encStatus);
+ BOOST_REQUIRE_MESSAGE(ret == CKM_API_SUCCESS,
+ "can not get key encryption status, ret: " +
+ std::to_string(ret));
+ break;
+ }
+
+ default:
+ BOOST_FAIL("Unsupported data type " << i.type);
+ }
+ BOOST_REQUIRE_MESSAGE(encStatus == !i.policy.password.empty(), "item: " <<
+ i.alias << " has wrong encryption status: " << encStatus);
+
+ }
+ }
+}
+
+
void SchemeTest::ReadAll(bool useWrongPass)
{
SwitchToUser();
for (const auto &i : g.items) {
DB::RowVector rows;
// it is assumed that aliases are different
- m_db->getRows(i.alias, DB_LABEL, DataType::DB_FIRST, DataType::DB_LAST, rows);
+ m_db->getRows(i.alias, OWNER, DataType::DB_FIRST, DataType::DB_LAST, rows);
ret += rows.size();
}
}
void SchemeTest::RestoreDb()
{
+ m_db.reset();
restoreFile("key-7654");
restoreFile("db-key-7654");
restoreFile("db-7654");
- m_db.reset();
m_directAccessEnabled = false;
}
continue;
DB::RowVector rows;
- m_db->getRows(i.alias, DB_LABEL, filter.typeFrom, filter.typeTo, rows);
+ m_db->getRows(i.alias, OWNER, filter.typeFrom, filter.typeTo, rows);
BOOST_REQUIRE_MESSAGE(rows.size() > 0, "No rows found for " << i.alias);
for (const auto &r : rows) {
auto wrappedDatabaseDEK = fs.getDBDEK();
RawBuffer key = keyProvider.getPureDEK(wrappedDatabaseDEK);
- m_db.reset(new DB::Crypto(fs.getDBPath(), key));
+ m_db.reset(new DB::Crypto(fs.getLegacyDBPath(), fs.getDBPath(), key));
m_directAccessEnabled = true;
+
+ // Legacy db files of the form db-$uid are incompatible with upstream sqlcipher.
+ // DB::Crypto(...) converts them to db0-$uid upstream-compatible, then deletes them.
+ // This function runs DB::Crypto(...) as root so db0-$uid are root-owned.
+ // However, database files need to be accessible to USER_NAME/GROUP_NAME (ex. ReadAll()).
+ // Thus the need to fix up ownership, much like restoreFile() does.
+ BOOST_REQUIRE(!chown(RW_DATA_DIR "/db0-7654", getUid(USER_NAME), getGid(GROUP_NAME)));
}
void SchemeTest::SignVerifyItem(const Item &itemPrv, const Item &itemPub)