Modify decider logic

Allow importing of all types of asymmetric keys to TZ backend.

Add unit-test

Change-Id: Iebbd0d5f37b4568b8c2473cdfe178d1ddad85a86

diff --git a/src/manager/crypto/platform/decider.cpp b/src/manager/crypto/platform/decider.cpp
index bdb976e..a1409d8 100644 (file)
--- a/src/manager/crypto/platform/decider.cpp
+++ b/src/manager/crypto/platform/decider.cpp
@@ -91,22 +91,26 @@ GStore* Decider::tryBackend(CryptoBackend backend)
 /*
  * operation encrypted type   extractable backend
  * ----------------------------------------------
- * import    FALSE     binary -           TZ/SW
+ * import    FALSE     binary *           TZ/SW
  *                     skey   FALSE       TZ/SW
  *                     skey   TRUE        SW
- *                     akey   -           SW
- *                     cert   -           SW
- *           TRUE      binary -           TZ
+ *                     akey   FALSE       TZ/SW
+ *                     akey   TRUE        SW
+ *                     cert   *           SW
+ * ----------------------------------------------
+ * import    TRUE      binary *           TZ
  *                     skey   FALSE       TZ
  *                     skey   TRUE        NONE
- *                     akey   -           NONE
- *                     cert   -           NONE
- * generate  -         binary -           TZ/SW
- *           -         cert   -           NONE
- *           -         skey   FALSE       TZ/SW
- *           -         skey   TRUE        SW
- *           -         akey   FALSE       TZ/SW
- *           -         akey   TRUE        SW
+ *                     akey   FALSE       TZ
+ *                     akey   TRUE        NONE
+ *                     cert   *           NONE
+ * ----------------------------------------------
+ * generate  N/A       binary *           TZ/SW
+ *                     skey   FALSE       TZ/SW
+ *                     skey   TRUE        SW
+ *                     akey   FALSE       TZ/SW
+ *                     akey   TRUE        SW
+ *                     cert   *           NONE
  */
 std::deque<CryptoBackend> Decider::getCompatibleBackends(DataType data,
                                                          const Policy &policy,
@@ -131,7 +135,7 @@ std::deque<CryptoBackend> Decider::getCompatibleBackends(DataType data,
                if (!encrypted)
                        addSW();
 
-               if (data.isBinaryData() || (data.isSymmetricKey() && !policy.extractable))
+               if (data.isBinaryData() || (data.isKey() && !policy.extractable))
                        addTZ();
        } else { // generate/derive
                assert(!encrypted);
@@ -160,9 +164,13 @@ GStore &Decider::getStore(DataType data, const Policy &policy, bool import, bool
        ThrowErr(Exc::Crypto::InternalError, "Failed to connect to a compatible backend.");
 }
 
-bool Decider::checkStore(CryptoBackend requestedBackend, DataType data, const Policy &policy, bool import)
+bool Decider::checkStore(CryptoBackend requestedBackend,
+                         DataType data,
+                         const Policy &policy,
+                         bool import,
+                         bool encrypted)
 {
-       auto backends = getCompatibleBackends(data, policy, import);
+       auto backends = getCompatibleBackends(data, policy, import, encrypted);
        for (auto id : backends) {
                if (id == requestedBackend)
                        return true;

diff --git a/src/manager/crypto/platform/decider.h b/src/manager/crypto/platform/decider.h
index 47fb08d..e4c24fe 100644 (file)
--- a/src/manager/crypto/platform/decider.h
+++ b/src/manager/crypto/platform/decider.h
@@ -47,7 +47,11 @@ public:
                         const Policy &policy,
                         bool import = true,
                         bool encrypted = false);
-       bool checkStore(CryptoBackend id, DataType data, const Policy &policy, bool import);
+       bool checkStore(CryptoBackend id,
+                       DataType data,
+                       const Policy &policy,
+                       bool import,
+                       bool encrypted = false);
 
 private:
        GStore* tryBackend(CryptoBackend backend);

diff --git a/unit-tests/CMakeLists.txt b/unit-tests/CMakeLists.txt
index 139836d..3f7ad2e 100644 (file)
--- a/unit-tests/CMakeLists.txt
+++ b/unit-tests/CMakeLists.txt
@@ -74,6 +74,7 @@ SET(UNIT_TESTS_SOURCES
     ${CMAKE_CURRENT_SOURCE_DIR}/test_crypto-logic.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/test_data-type.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/test_db_crypto.cpp
+    ${CMAKE_CURRENT_SOURCE_DIR}/test_decider.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/test_descriptor-set.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/test_dpl-db.cpp
     ${CMAKE_CURRENT_SOURCE_DIR}/test_dpl-exception.cpp

diff --git a/unit-tests/test_decider.cpp b/unit-tests/test_decider.cpp
new file mode 100644 (file)
index 0000000..6328977
--- /dev/null
+++ b/unit-tests/test_decider.cpp
@@ -0,0 +1,156 @@
+/*
+ *  Copyright (c) 2023 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License
+ */
+
+#include <vector>
+
+#include <boost_macros_wrapper.h>
+
+#include <platform/decider.h>
+
+using namespace CKM;
+using namespace CKM::Crypto;
+
+namespace {
+
+struct Mapping {
+       bool import; // true - import, false - generate
+       bool encrypted;
+       DataType type;
+       bool extractable;
+       bool swBackend;
+       bool tzBackend;
+};
+
+std::vector<Mapping> MAPPING {
+//   imp.,  enc.,  type,                        ext.,  SW,    TZ
+       {true,  false, DataType::BINARY_DATA,       false, true,  true  },
+       {true,  false, DataType::BINARY_DATA,       true,  true,  true  },
+
+       {true,  false, DataType::KEY_AES,           false, true,  true  },
+       {true,  false, DataType::KEY_AES,           true,  true,  false },
+
+       {true,  false, DataType::KEY_RSA_PRIVATE,   false, true,  true  },
+       {true,  false, DataType::KEY_RSA_PRIVATE,   true,  true,  false },
+       {true,  false, DataType::KEY_RSA_PUBLIC,    false, true,  true  },
+       {true,  false, DataType::KEY_RSA_PUBLIC,    true,  true,  false },
+
+       {true,  false, DataType::KEY_DSA_PRIVATE,   false, true,  true  },
+       {true,  false, DataType::KEY_DSA_PRIVATE,   true,  true,  false },
+       {true,  false, DataType::KEY_DSA_PUBLIC,    false, true,  true  },
+       {true,  false, DataType::KEY_DSA_PUBLIC,    true,  true,  false },
+
+       {true,  false, DataType::KEY_ECDSA_PRIVATE, false, true,  true  },
+       {true,  false, DataType::KEY_ECDSA_PRIVATE, true,  true,  false },
+       {true,  false, DataType::KEY_ECDSA_PUBLIC,  false, true,  true  },
+       {true,  false, DataType::KEY_ECDSA_PUBLIC,  true,  true,  false },
+
+       {true,  false, DataType::CERTIFICATE,       false, true,  false },
+       {true,  false, DataType::CERTIFICATE,       true,  true,  false },
+
+       {true,  false, DataType::CHAIN_CERT_0,      false, true,  false },
+       {true,  false, DataType::CHAIN_CERT_0,      true,  true,  false },
+
+
+       {true,  true,  DataType::BINARY_DATA,       false, false, true  },
+       {true,  true,  DataType::BINARY_DATA,       true,  false, true  },
+
+       {true,  true,  DataType::KEY_AES,           false, false, true  },
+       {true,  true,  DataType::KEY_AES,           true,  false, false },
+
+       {true,  true,  DataType::KEY_RSA_PRIVATE,   false, false, true  },
+       {true,  true,  DataType::KEY_RSA_PRIVATE,   true,  false, false },
+       {true,  true,  DataType::KEY_RSA_PUBLIC,    false, false, true  },
+       {true,  true,  DataType::KEY_RSA_PUBLIC,    true,  false, false },
+
+       {true,  true,  DataType::KEY_DSA_PRIVATE,   false, false, true  },
+       {true,  true,  DataType::KEY_DSA_PRIVATE,   true,  false, false },
+       {true,  true,  DataType::KEY_DSA_PUBLIC,    false, false, true  },
+       {true,  true,  DataType::KEY_DSA_PUBLIC,    true,  false, false },
+
+       {true,  true,  DataType::KEY_ECDSA_PRIVATE, false, false, true  },
+       {true,  true,  DataType::KEY_ECDSA_PRIVATE, true,  false, false },
+       {true,  true,  DataType::KEY_ECDSA_PUBLIC,  false, false, true  },
+       {true,  true,  DataType::KEY_ECDSA_PUBLIC,  true,  false, false },
+
+       {true,  true,  DataType::CERTIFICATE,       false, false, false },
+       {true,  true,  DataType::CERTIFICATE,       true,  false, false },
+
+       {true,  true,  DataType::CHAIN_CERT_0,      false, false, false },
+       {true,  true,  DataType::CHAIN_CERT_0,      true,  false, false },
+
+
+       {false, false, DataType::BINARY_DATA,       false, true,  true  },
+       {false, false, DataType::BINARY_DATA,       true,  true,  true  },
+
+       {false, false, DataType::KEY_AES,           false, true,  true  },
+       {false, false, DataType::KEY_AES,           true,  true,  false },
+
+       {false, false, DataType::KEY_RSA_PRIVATE,   false, true,  true  },
+       {false, false, DataType::KEY_RSA_PRIVATE,   true,  true,  false },
+       {false, false, DataType::KEY_RSA_PUBLIC,    false, true,  true  },
+       {false, false, DataType::KEY_RSA_PUBLIC,    true,  true,  false },
+
+       {false, false, DataType::KEY_DSA_PRIVATE,   false, true,  true  },
+       {false, false, DataType::KEY_DSA_PRIVATE,   true,  true,  false },
+       {false, false, DataType::KEY_DSA_PUBLIC,    false, true,  true  },
+       {false, false, DataType::KEY_DSA_PUBLIC,    true,  true,  false },
+
+       {false, false, DataType::KEY_ECDSA_PRIVATE, false, true,  true  },
+       {false, false, DataType::KEY_ECDSA_PRIVATE, true,  true,  false },
+       {false, false, DataType::KEY_ECDSA_PUBLIC,  false, true,  true  },
+       {false, false, DataType::KEY_ECDSA_PUBLIC,  true,  true,  false },
+
+       {false, false, DataType::CERTIFICATE,       false, false, false },
+       {false, false, DataType::CERTIFICATE,       true,  false, false },
+
+       {false, false, DataType::CHAIN_CERT_0,      false, false, false },
+       {false, false, DataType::CHAIN_CERT_0,      true,  false, false },
+};
+
+} // namespace
+
+BOOST_AUTO_TEST_SUITE(DECIDER_TEST)
+
+POSITIVE_TEST_CASE(MappingTest)
+{
+       Decider d;
+       bool ret;
+       for (const auto& row : MAPPING) {
+               Policy policy("", row.extractable);
+
+               ret = d.checkStore(CryptoBackend::OpenSSL, row.type, policy, row.import, row.encrypted);
+               BOOST_REQUIRE(ret == row.swBackend);
+
+               ret = d.checkStore(CryptoBackend::TrustZone, row.type, policy, row.import, row.encrypted);
+#ifdef TZ_BACKEND_ENABLED
+               BOOST_REQUIRE(ret == row.tzBackend);
+#else
+               BOOST_REQUIRE(ret == false);
+#endif
+
+               ret = d.checkStore(CryptoBackend::None, row.type, policy, row.import, row.encrypted);
+               BOOST_REQUIRE(ret == false);
+
+               ret = d.checkStore(CryptoBackend::SecureElement,
+                                  row.type,
+                                  policy,
+                                  row.import,
+                                  row.encrypted);
+               BOOST_REQUIRE(ret == false);
+       }
+}
+
+BOOST_AUTO_TEST_SUITE_END()