From: Maciej J. Karpiuk Date: Wed, 10 Jun 2015 09:21:27 +0000 (+0200) Subject: Merge branch 'origin/tizen' into origin/ckm X-Git-Tag: security-manager_5.5_testing~9^2~81 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=313aea801d0869f7de57f5ecf6d3534bd007a7a4;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Merge branch 'origin/tizen' into origin/ckm Change-Id: If8bc45345b05df4e09e39ec233371320ebcf070a --- 313aea801d0869f7de57f5ecf6d3534bd007a7a4 diff --cc src/ckm/async-api.cpp index 56947aa4,1f678f25..62b125a0 --- a/src/ckm/async-api.cpp +++ b/src/ckm/async-api.cpp @@@ -383,19 -314,62 +383,64 @@@ typedef void (ManagerAsync::*certChainF const AliasVector&, const AliasVector&, bool); - } // namespace anonymous + class CKMAsyncAPIEnv + { + public: + void init(const std::string &) { - reset_user_data(0, TEST_PASS); - reset_user_data(APP_UID, TEST_PASS); ++ remove_user_data(0); ++ remove_user_data(APP_UID); ++ ScopedAccessProvider ap(TEST_LABEL, APP_UID, APP_GID); ++ unlock_user_data(APP_UID, TEST_PASS); + } + void finish() { + remove_user_data(APP_UID); + remove_user_data(0); + } + }; - RUNNER_TEST_GROUP_INIT(CKM_ASYNC_API); + CKM::Alias alias_PKCS_exportable = "async-test-PKCS-export"; + CKM::Alias alias_PKCS_not_exportable = "async-test-PKCS-no-export"; - RUNNER_TEST(TA0000_init) + CKM::PKCS12ShPtr loadPkcs() { - remove_user_data(0); - reset_user_data(APP_UID, TEST_PASS); + std::ifstream is("/usr/share/ckm-test/pkcs.p12"); + std::istreambuf_iterator begin(is), end; + std::vector buff(begin, end); + + CKM::RawBuffer buffer(buff.size()); + memcpy(buffer.data(), buff.data(), buff.size()); + + auto pkcs = CKM::PKCS12::create(buffer, CKM::Password()); + RUNNER_ASSERT_MSG( + NULL != pkcs.get(), + "Error in PKCS12::create()"); + + auto cert = pkcs->getCertificate(); + RUNNER_ASSERT_MSG( + NULL != cert.get(), + "Error in PKCS12::getCertificate()"); + + auto key = pkcs->getKey(); + RUNNER_ASSERT_MSG( + NULL != key.get(), + "Error in PKCS12::getKey()"); + + auto caVector = pkcs->getCaCertificateShPtrVector(); + RUNNER_ASSERT_MSG( + 2 == caVector.size(), + "Wrong size of vector"); + + return pkcs; } + } // namespace anonymous + + + RUNNER_TEST_GROUP_INIT(CKM_ASYNC_API); + // saveKey - RUNNER_CHILD_TEST(TA0010_save_key_invalid_param) + RUNNER_CHILD_TEST(TA0010_save_key_invalid_param, CKMAsyncAPIEnv) { switch_to_storage_user(TEST_LABEL); @@@ -1122,35 -1094,9 +1167,35 @@@ RUNNER_CHILD_TEST(TA1650_verify_signatu obs->m_signed, HashAlgorithm::SHA1, RSAPaddingAlgorithm::PKCS1); + + test_positive(&ManagerAsync::verifySignature, + dbc.alias("alias_pub"), + "", + test_buffer, + obs->m_signed, + HashAlgorithm::SHA1, + RSAPaddingAlgorithm::PKCS1); + + test_negative(&ManagerAsync::verifySignature, + CKM_API_ERROR_VERIFICATION_FAILED, + dbc.alias("alias_pub2"), + "", + test_buffer, + obs->m_signed, + HashAlgorithm::SHA1, + RSAPaddingAlgorithm::PKCS1); + + test_negative(&ManagerAsync::verifySignature, + CKM_API_ERROR_VERIFICATION_FAILED, + dbc.alias("alias_pub3"), + "", + test_buffer, + obs->m_signed, + HashAlgorithm::SHA1, + RSAPaddingAlgorithm::PKCS1); } - RUNNER_CHILD_TEST(TA1660_verify_signature_positive) + RUNNER_CHILD_TEST(TA1660_verify_signature_positive, CKMAsyncAPIEnv) { switch_to_storage_user(TEST_LABEL); @@@ -1221,44 -1167,39 +1266,44 @@@ RUNNER_CHILD_TEST(TA1810_allow_access_i test_invalid_param(&ManagerAsync::setPermission, "alias", "", CKM::Permission::READ | CKM::Permission::REMOVE); } - RUNNER_TEST(TA1820_allow_access) + RUNNER_TEST(TA1820_allow_access, CKMAsyncAPIEnv) { - DBCleanup dbc; - CharPtr top_label = get_label(); - test_positive(&ManagerAsync::saveData, dbc.alias("alias"), test_buffer, Policy()); - test_positive(&ManagerAsync::saveData, dbc.alias("alias2"), test_buffer, Policy()); - test_positive(&ManagerAsync::saveData, dbc.alias("alias3"), test_buffer, Policy()); - test_positive(&ManagerAsync::setPermission, - dbc.alias("alias2"), - TEST_LABEL, - CKM::Permission::READ); - test_positive(&ManagerAsync::setPermission, - dbc.alias("alias3"), - TEST_LABEL, - CKM::Permission::READ | CKM::Permission::REMOVE); + // prepare: add data + std::string alias1 = aliasWithLabel(TEST_LABEL, "alias-1"); + std::string alias2 = aliasWithLabel(TEST_LABEL, "alias-2"); + std::string alias3 = aliasWithLabel(TEST_LABEL, "alias-3"); + GarbageCollector gc; + { + ScopedAccessProvider ap(TEST_LABEL, APP_UID, APP_GID); + gc.save(alias1.c_str(), TEST_DATA); + gc.save(alias2.c_str(), TEST_DATA); + gc.save(alias3.c_str(), TEST_DATA); + + test_positive(&ManagerAsync::setPermission, + alias2, + TEST_LABEL_2, + CKM::Permission::READ); + test_positive(&ManagerAsync::setPermission, + alias3, + TEST_LABEL_2, + CKM::Permission::READ | CKM::Permission::REMOVE); + } { - ScopedLabel label(TEST_LABEL); + ScopedAccessProvider ap(TEST_LABEL_2, APP_UID, APP_GID); - test_negative(&ManagerAsync::getData, CKM_API_ERROR_DB_ALIAS_UNKNOWN, dbc.alias("alias"), ""); - test_negative(&ManagerAsync::removeAlias, CKM_API_ERROR_DB_ALIAS_UNKNOWN, dbc.alias("alias")); + test_negative(&ManagerAsync::getData, CKM_API_ERROR_DB_ALIAS_UNKNOWN, alias1, ""); + test_negative(&ManagerAsync::removeAlias, CKM_API_ERROR_DB_ALIAS_UNKNOWN, alias1); // test from allowed label, but without properly addressing alias (coming from default label) - test_negative(&ManagerAsync::getData, CKM_API_ERROR_DB_ALIAS_UNKNOWN, dbc.alias("alias2"), ""); + test_negative(&ManagerAsync::getData, CKM_API_ERROR_DB_ALIAS_UNKNOWN, "alias-2", ""); // now test with appropriate addressing - std::string full_alias2_address = aliasWithLabel(top_label.get(), dbc.alias("alias2")); - test_positive(&ManagerAsync::getData, full_alias2_address, ""); - test_negative(&ManagerAsync::removeAlias, CKM_API_ERROR_ACCESS_DENIED, full_alias2_address); + test_positive(&ManagerAsync::getData, alias2, ""); + test_negative(&ManagerAsync::removeAlias, CKM_API_ERROR_ACCESS_DENIED, alias2); - std::string full_alias3_address = aliasWithLabel(top_label.get(), dbc.alias("alias3")); - test_positive(&ManagerAsync::getData, full_alias3_address, ""); - test_positive(&ManagerAsync::removeAlias, full_alias3_address); + test_positive(&ManagerAsync::getData, alias3, ""); + test_positive(&ManagerAsync::removeAlias, alias3); } } @@@ -1272,30 -1213,23 +1317,30 @@@ RUNNER_CHILD_TEST(TA1910_deny_access_in test_invalid_param(&ManagerAsync::setPermission, "alias", "", CKM::Permission::NONE); } - RUNNER_TEST(TA1920_deny_access) + RUNNER_TEST(TA1920_deny_access, CKMAsyncAPIEnv) { - DBCleanup dbc; - CharPtr top_label = get_label(); - test_positive(&ManagerAsync::saveData, dbc.alias("alias"), test_buffer, Policy()); - test_positive(&ManagerAsync::setPermission, - dbc.alias("alias"), - TEST_LABEL, - CKM::Permission::READ | CKM::Permission::REMOVE); - test_positive(&ManagerAsync::setPermission, dbc.alias("alias"), TEST_LABEL, CKM::Permission::NONE); + // prepare: add data + std::string alias1 = aliasWithLabel(TEST_LABEL, "alias-1"); + GarbageCollector gc; + { + ScopedAccessProvider ap(TEST_LABEL, APP_UID, APP_GID); + gc.save(alias1.c_str(), TEST_DATA); + + test_positive(&ManagerAsync::setPermission, + alias1, + TEST_LABEL_2, + CKM::Permission::READ | CKM::Permission::REMOVE); + test_positive(&ManagerAsync::setPermission, + alias1, + TEST_LABEL_2, + CKM::Permission::NONE); + } { - ScopedLabel label(TEST_LABEL); + ScopedAccessProvider ap(TEST_LABEL_2, APP_UID, APP_GID); - std::string full_alias_address = aliasWithLabel(top_label.get(), dbc.alias("alias")); - test_negative(&ManagerAsync::getData, CKM_API_ERROR_DB_ALIAS_UNKNOWN, full_alias_address, ""); - test_negative(&ManagerAsync::removeAlias, CKM_API_ERROR_DB_ALIAS_UNKNOWN, full_alias_address); + test_negative(&ManagerAsync::getData, CKM_API_ERROR_DB_ALIAS_UNKNOWN, alias1, ""); + test_negative(&ManagerAsync::removeAlias, CKM_API_ERROR_DB_ALIAS_UNKNOWN, alias1); } } @@@ -1341,34 -1243,50 +1354,50 @@@ RUNNER_TEST(TA2000_PKCS_add_bundle_with CKM::Policy notExportable(CKM::Password(), false); test_positive(&ManagerAsync::savePKCS12, - sharedDatabase(alias_PKCS_exportable).c_str(), - dbc.alias(alias_PKCS_exportable.c_str()), ++ dbc.alias(sharedDatabase(alias_PKCS_exportable).c_str()), pkcs, exportable, exportable); test_negative(&ManagerAsync::savePKCS12, CKM_API_ERROR_DB_ALIAS_EXISTS, - sharedDatabase(alias_PKCS_exportable).c_str(), - dbc.alias(alias_PKCS_exportable.c_str()), ++ dbc.alias(sharedDatabase(alias_PKCS_exportable).c_str()), pkcs, exportable, exportable); test_positive(&ManagerAsync::savePKCS12, - sharedDatabase(alias_PKCS_not_exportable).c_str(), - dbc.alias(alias_PKCS_not_exportable.c_str()), ++ dbc.alias(sharedDatabase(alias_PKCS_not_exportable).c_str()), pkcs, notExportable, notExportable); test_negative(&ManagerAsync::savePKCS12, CKM_API_ERROR_DB_ALIAS_EXISTS, - sharedDatabase(alias_PKCS_not_exportable).c_str(), - dbc.alias(alias_PKCS_not_exportable.c_str()), ++ dbc.alias(sharedDatabase(alias_PKCS_not_exportable).c_str()), pkcs, notExportable, notExportable); } - RUNNER_TEST(TA2010_PKCS_get) + RUNNER_TEST(TA2010_PKCS_get, CKMAsyncAPIEnv) { DBCleanup dbc; - auto manager = CKM::Manager::create(); + + auto pkcs = loadPkcs(); + + // save to the CKM + CKM::Policy exportable; + CKM::Policy notExportable(CKM::Password(), false); + + test_positive(&ManagerAsync::savePKCS12, - dbc.alias(alias_PKCS_exportable.c_str()), ++ dbc.alias(sharedDatabase(alias_PKCS_exportable).c_str()), + pkcs, + exportable, + exportable); + test_positive(&ManagerAsync::savePKCS12, - dbc.alias(alias_PKCS_not_exportable.c_str()), ++ dbc.alias(sharedDatabase(alias_PKCS_not_exportable).c_str()), + pkcs, + notExportable, + notExportable); // fail - no entry test_negative(&ManagerAsync::getPKCS12, diff --cc src/ckm/capi-access_control.cpp index 1312b4ec,6d8b7d0c..0da0bee2 --- a/src/ckm/capi-access_control.cpp +++ b/src/ckm/capi-access_control.cpp @@@ -631,29 -671,23 +631,33 @@@ RUNNER_TEST(T3106_control_allow_access_ // tries to use admin API as a user RUNNER_CHILD_TEST(T3110_control_allow_access_as_user) { + RUNNER_IGNORED_MSG("Disabled until labeled sockets not available"); + - switch_to_storage_user(TEST_LABEL); - int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), "accessor", CKMC_PERMISSION_READ); + // prepare: add data + GarbageCollector gc; + ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1); + gc.save(TEST_ALIAS, TEST_DATA); + + // test + int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_READ); RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret, - "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret)); + "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret)); } // tries to use admin API as a user -RUNNER_CHILD_TEST(T3111_control_allow_access_as_user) +RUNNER_CHILD_TEST(T3111_control_deny_access_as_user) { + RUNNER_IGNORED_MSG("Disabled until labeled sockets not available"); + - switch_to_storage_user(TEST_LABEL); - int ret = ckmc_set_permission_by_adm(USER_ROOT, aliasWithLabel("owner", "alias").c_str(), "accessor", CKMC_PERMISSION_NONE); + // prepare: add data + GarbageCollector gc; + ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1); + gc.save(TEST_ALIAS, TEST_DATA); + + // test + int ret = ckmc_set_permission_by_adm(APP_1, aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str(), APP_LABEL_2, CKMC_PERMISSION_NONE); RUNNER_ASSERT_MSG(CKMC_ERROR_PERMISSION_DENIED == ret, - "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret)); + "Ordinary user should not be able to use control API. Error " << CKMCErrorToString(ret)); } // tries to read other application data with permission diff --cc src/ckm/main.cpp index 2de1aa0f,9c410778..fae27443 --- a/src/ckm/main.cpp +++ b/src/ckm/main.cpp @@@ -2334,51 -2312,60 +2334,56 @@@ RUNNER_TEST(T14189_deinit RUNNER_TEST_GROUP_INIT(T151_CKM_STORAGE_PERNAMENT_TESTS); -namespace { -CKM::Alias certeeAlias("CertEE"); -CKM::Alias certimAlias("CertIM"); -} --RUNNER_CHILD_TEST(T1510_init_unlock_key) ++RUNNER_TEST(T1510_init_unlock_key) { - ScopedAccessProvider ap("my-label"); - ap.allowAPI("key-manager::api-control", "rw"); - ap.applyAndSwithToUser(USER_TEST, GROUP_APP); - reset_user_data(USER_TEST, "strong-password"); -- - unlock_user_data(USER_TEST, "strong-password"); - // initial DB feed - AccessProvider ap("my-label"); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_TEST, GROUP_APP); ++ reset_user_data(USER_TEST, APP_PASS); +} - RUNNER_CHILD_TEST(T1511_insert_data) - auto manager = CKM::Manager::create(); ++RUNNER_TEST(T1511_insert_data) +{ - ScopedAccessProvider ap("my-label"); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_TEST, GROUP_APP); - auto certee = TestData::getTestCertificate(TestData::MBANK); auto certim = TestData::getTestCertificate(TestData::SYMANTEC); - RUNNER_ASSERT(CKM_API_SUCCESS == manager->saveCertificate(certeeAlias, certee, CKM::Policy())); - RUNNER_ASSERT(CKM_API_SUCCESS == manager->saveCertificate(certimAlias, certim, CKM::Policy())); -} ++ CKM::Alias certeeAlias("CertEE"); ++ CKM::Alias certimAlias("CertIM"); ++ { ++ ScopedAccessProvider ap("my-label"); ++ ap.allowAPI("key-manager::api-storage", "rw"); ++ ap.applyAndSwithToUser(USER_TEST, GROUP_APP); ++ ScopedDBUnlock unlock(USER_TEST, APP_PASS); ++ ++ auto manager = CKM::Manager::create(); ++ RUNNER_ASSERT(CKM_API_SUCCESS == manager->saveCertificate(certeeAlias, certee, CKM::Policy())); ++ RUNNER_ASSERT(CKM_API_SUCCESS == manager->saveCertificate(certimAlias, certim, CKM::Policy())); ++ } - auto manager = CKM::Manager::create(); - int status1 = manager->saveCertificate(CKM::Alias("CertEE"), certee, CKM::Policy()); - int status2 = manager->saveCertificate(CKM::Alias("CertIM"), certim, CKM::Policy()); - - RUNNER_ASSERT_MSG( - CKM_API_ERROR_DB_ALIAS_EXISTS == status1, - "Certificate should be in database already. Error=" << CKM::ErrorToString(status1)); -RUNNER_TEST(T1511_restart_CKM) -{ + // restart CKM + stop_service(MANAGER); + start_service(MANAGER); - unlock_user_data(USER_TEST, "strong-password"); -} - RUNNER_ASSERT_MSG( - CKM_API_ERROR_DB_ALIAS_EXISTS == status2, - "Certificate should be in database already. Error=" << CKM::ErrorToString(status2)); -RUNNER_CHILD_TEST(T1512_check_data_exists) -{ + // actual test - AccessProvider ap("my-label"); - ap.allowAPI("key-manager::api-storage", "rw"); - ap.applyAndSwithToUser(USER_TEST, GROUP_APP); - - auto manager = CKM::Manager::create(); - auto certee = TestData::getTestCertificate(TestData::MBANK); - auto certim = TestData::getTestCertificate(TestData::SYMANTEC); - int status1 = manager->saveCertificate(certeeAlias, certee, CKM::Policy()); - int status2 = manager->saveCertificate(certimAlias, certim, CKM::Policy()); - RUNNER_ASSERT_MSG( - CKM_API_ERROR_DB_ALIAS_EXISTS == status1, - "Certificate should be in database already. Error=" << CKM::ErrorToString(status1)); - RUNNER_ASSERT_MSG( - CKM_API_ERROR_DB_ALIAS_EXISTS == status2, - "Certificate should be in database already. Error=" << CKM::ErrorToString(status2)); ++ { ++ ScopedAccessProvider ap("my-label"); ++ ap.allowAPI("key-manager::api-storage", "rw"); ++ ap.applyAndSwithToUser(USER_TEST, GROUP_APP); ++ ScopedDBUnlock unlock(USER_TEST, APP_PASS); ++ ++ auto manager = CKM::Manager::create(); ++ int status1 = manager->saveCertificate(certeeAlias, certee, CKM::Policy()); ++ int status2 = manager->saveCertificate(certimAlias, certim, CKM::Policy()); ++ RUNNER_ASSERT_MSG( ++ CKM_API_ERROR_DB_ALIAS_EXISTS == status1, ++ "Certificate should be in database already. Error=" << CKM::ErrorToString(status1)); ++ RUNNER_ASSERT_MSG( ++ CKM_API_ERROR_DB_ALIAS_EXISTS == status2, ++ "Certificate should be in database already. Error=" << CKM::ErrorToString(status2)); ++ } } - RUNNER_CHILD_TEST(T1519_deinit) + RUNNER_TEST(T1519_deinit) { - int tmp; - ScopedAccessProvider ap("my-label"); - ap.allowAPI("key-manager::api-control", "rw"); - ap.applyAndSwithToUser(USER_APP, GROUP_APP); - - auto control = CKM::Control::create(); - RUNNER_ASSERT_MSG( - CKM_API_SUCCESS == (tmp = control->lockUserKey(USER_TEST)), - "Error=" << CKM::ErrorToString(tmp)); + remove_user_data(USER_TEST); } -- RUNNER_TEST_GROUP_INIT(T170_CKM_STORAGE_PERNAMENT_TESTS); RUNNER_TEST(T1701_init_unlock_key)