From: Maciej J. Karpiuk Date: Thu, 9 Apr 2015 12:43:46 +0000 (+0200) Subject: CKM: add AES key manipulation tests. X-Git-Tag: security-manager_5.5_testing~9^2~74 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=615a98b1e0ff6e8ca0a2901d01b4b5fbf14a967c;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git CKM: add AES key manipulation tests. Change-Id: I282a9201be1acc1013f010651c7c89c682d01ee2 --- diff --git a/src/ckm/algo-params.cpp b/src/ckm/algo-params.cpp index 0a123135..2c2aa5f7 100644 --- a/src/ckm/algo-params.cpp +++ b/src/ckm/algo-params.cpp @@ -43,7 +43,7 @@ ckmc_param_list_s* EMPTY_LIST = NULL; const size_t DEFAULT_IV_LEN = 16; const size_t DEFAULT_IV_LEN_BITS = 8*DEFAULT_IV_LEN; -RawBufferPtr IV(createRandomBuffer(DEFAULT_IV_LEN), ckmc_buffer_free); +RawBufferPtr IV(createRandomBufferCAPI(DEFAULT_IV_LEN), ckmc_buffer_free); void assert_list_empty(const ckmc_param_list_s* list) { @@ -157,7 +157,7 @@ RUNNER_TEST(TAP_0060_add_param) check_int_param(list.get(), CKMC_PARAM_ALGO_TYPE, CKMC_ALGO_AES_GCM); assert_param_count(list.get(),1); - RawBufferPtr buffer(createRandomBuffer(DEFAULT_IV_LEN), ckmc_buffer_free); + RawBufferPtr buffer(createRandomBufferCAPI(DEFAULT_IV_LEN), ckmc_buffer_free); assert_positive(ckmc_param_list_add_buffer, list.get(), CKMC_PARAM_ED_IV, diff --git a/src/ckm/async-api.cpp b/src/ckm/async-api.cpp index e0889e35..f0bb8bc0 100644 --- a/src/ckm/async-api.cpp +++ b/src/ckm/async-api.cpp @@ -41,6 +41,7 @@ #include #include #include +#include using namespace CKM; using namespace std; @@ -91,6 +92,7 @@ public: void ReceivedCertificateAliasVector(AliasVector && av) { m_aliases = move(av); Succeeded(); } void ReceivedDataAliasVector(AliasVector && av) { m_aliases = move(av); Succeeded(); } + void ReceivedCreateKeyAES() { Succeeded(); } void ReceivedCreateKeyPair() { Succeeded(); } void ReceivedGetCertificateChain(CertificateShPtrVector && chain) @@ -134,12 +136,14 @@ typedef shared_ptr MyObserverPtr; enum Type { RSA, DSA, - ECDSA + ECDSA, + AES }; -struct KeyPair +struct KeyContainer { - KeyPair(const std::string& prv_pem, const std::string& pub_pem) { + // assymetric + KeyContainer(const std::string& prv_pem, const std::string& pub_pem) { RawBuffer buffer_prv(prv_pem.begin(), prv_pem.end()); prv = Key::create(buffer_prv); assert(prv); @@ -149,11 +153,18 @@ struct KeyPair assert(pub); } + // symmetric + KeyContainer(const RawBuffer& key_raw) { + prv = pub = Key::createAES(key_raw); + assert(prv); + assert(pub); + } + KeyShPtr prv; KeyShPtr pub; }; -typedef map > KeyMap; +typedef map > KeyMap; KeyMap initializeKeys() @@ -289,6 +300,10 @@ KeyMap initializeKeys() "2glhz9wNmWTiUpSmZu+b/9FZ/VTtqDe05XKx\n" "-----END PUBLIC KEY-----" ); + + CKM::RawBuffer AES_key = createRandomBuffer(256/8); + km[AES].emplace_back(AES_key); + return km; } @@ -455,7 +470,9 @@ RUNNER_TEST(TA0020_save_key_already_exists, UserEnv) RUNNER_TEST(TA0050_save_key_positive, UserEnv) { - test_positive(&ManagerAsync::saveKey, "alias", keys[RSA][0].prv, Policy()); + test_positive(&ManagerAsync::saveKey, "alias_RSA", keys[RSA][0].prv, Policy()); + test_positive(&ManagerAsync::saveKey, "alias_DSA", keys[DSA][0].prv, Policy()); + test_positive(&ManagerAsync::saveKey, "alias_AES", keys[AES][0].prv, Policy()); } @@ -522,8 +539,13 @@ RUNNER_TEST(TA0330_remove_alias_unknown_alias, UserEnv) RUNNER_TEST(TA0350_remove_key_positive, UserEnv) { - test_positive(&ManagerAsync::saveKey, "alias", keys[RSA][0].prv, Policy()); - test_positive(&ManagerAsync::removeAlias, "alias"); + test_positive(&ManagerAsync::saveKey, "alias_RSA", keys[RSA][0].prv, Policy()); + test_positive(&ManagerAsync::removeAlias, "alias_RSA"); + test_positive(&ManagerAsync::saveKey, "alias_DSA", keys[DSA][0].prv, Policy()); + test_positive(&ManagerAsync::removeAlias, "alias_DSA"); + test_positive(&ManagerAsync::saveKey, "alias_AES", keys[AES][0].prv, Policy()); + test_positive(&ManagerAsync::removeAlias, "alias_AES"); + } @@ -555,17 +577,31 @@ RUNNER_TEST(TA0630_get_key_unknown_alias, UserEnv) RUNNER_TEST(TA0640_get_key_wrong_password, UserEnv) { - test_positive(&ManagerAsync::saveKey, "alias", keys[RSA][0].prv, Policy("password")); + test_positive(&ManagerAsync::saveKey, "alias_RSA", keys[RSA][0].prv, Policy("password")); test_negative(&ManagerAsync::getKey, CKM_API_ERROR_AUTHENTICATION_FAILED, - "alias", + "alias_RSA", + "wrong-password"); + test_positive(&ManagerAsync::saveKey, "alias_DSA", keys[DSA][0].prv, Policy("password")); + test_negative(&ManagerAsync::getKey, + CKM_API_ERROR_AUTHENTICATION_FAILED, + "alias_DSA", + "wrong-password"); + test_positive(&ManagerAsync::saveKey, "alias_AES", keys[AES][0].prv, Policy("password")); + test_negative(&ManagerAsync::getKey, + CKM_API_ERROR_AUTHENTICATION_FAILED, + "alias_AES", "wrong-password"); } RUNNER_TEST(TA0650_get_key_positive, UserEnv) { - test_positive(&ManagerAsync::saveKey, "alias", keys[RSA][0].prv, Policy("password")); - test_positive(&ManagerAsync::getKey, "alias", "password"); + test_positive(&ManagerAsync::saveKey, "alias_RSA", keys[RSA][0].prv, Policy("password")); + test_positive(&ManagerAsync::getKey, "alias_RSA", "password"); + test_positive(&ManagerAsync::saveKey, "alias_DSA", keys[DSA][0].prv, Policy("password")); + test_positive(&ManagerAsync::getKey, "alias_DSA", "password"); + test_positive(&ManagerAsync::saveKey, "alias_AES", keys[AES][0].prv, Policy("password")); + test_positive(&ManagerAsync::getKey, "alias_AES", "password"); } @@ -639,15 +675,22 @@ RUNNER_TEST(TA0910_get_key_alias_vector_invalid_param, UserEnv) RUNNER_TEST(TA0950_get_key_alias_vector_positive, UserEnv) { - test_positive(&ManagerAsync::saveKey, "alias1", keys[RSA][0].prv, Policy()); - test_check_aliases(&ManagerAsync::getKeyAliasVector, { aliasWithLabel(TEST_LABEL, "alias1") }); + test_positive(&ManagerAsync::saveKey, "alias_RSA", keys[RSA][0].prv, Policy()); + test_check_aliases(&ManagerAsync::getKeyAliasVector, { aliasWithLabel(TEST_LABEL, "alias_RSA") }); - test_positive(&ManagerAsync::saveKey, "alias2", keys[DSA][0].prv, Policy()); - test_check_aliases(&ManagerAsync::getKeyAliasVector, { aliasWithLabel(TEST_LABEL, "alias1"), - aliasWithLabel(TEST_LABEL, "alias2") }); + test_positive(&ManagerAsync::saveKey, "alias_DSA", keys[DSA][0].prv, Policy()); + test_check_aliases(&ManagerAsync::getKeyAliasVector, { aliasWithLabel(TEST_LABEL, "alias_RSA"), + aliasWithLabel(TEST_LABEL, "alias_DSA") }); - test_positive(&ManagerAsync::removeAlias, "alias1"); - test_check_aliases(&ManagerAsync::getKeyAliasVector, { aliasWithLabel(TEST_LABEL, "alias2") }); + test_positive(&ManagerAsync::saveKey, "alias_AES", keys[AES][0].prv, Policy()); + test_check_aliases(&ManagerAsync::getKeyAliasVector, { aliasWithLabel(TEST_LABEL, "alias_RSA"), + aliasWithLabel(TEST_LABEL, "alias_DSA"), + aliasWithLabel(TEST_LABEL, "alias_AES") }); + + // remove DSA key + test_positive(&ManagerAsync::removeAlias, "alias_DSA"); + test_check_aliases(&ManagerAsync::getKeyAliasVector, { aliasWithLabel(TEST_LABEL, "alias_RSA"), + aliasWithLabel(TEST_LABEL, "alias_AES")}); } @@ -692,7 +735,7 @@ RUNNER_TEST(TA1150_get_data_alias_vector_positive, UserEnv) // createKeyPairRSA -RUNNER_TEST(TA1210_create_key_pair_rsa_invalid_param, UserEnv) +RUNNER_TEST(TA1210_create_key_pair_RSA_invalid_param, UserEnv) { test_no_observer(&ManagerAsync::createKeyPairRSA, 1024, @@ -702,7 +745,7 @@ RUNNER_TEST(TA1210_create_key_pair_rsa_invalid_param, UserEnv) Policy()); } -RUNNER_TEST(TA1220_create_key_pair_rsa_already_exists, UserEnv) +RUNNER_TEST(TA1220_create_key_pair_RSA_already_exists, UserEnv) { test_positive(&ManagerAsync::saveKey, "alias_prv", keys[RSA][0].prv, Policy()); test_negative(&ManagerAsync::createKeyPairRSA, @@ -714,7 +757,7 @@ RUNNER_TEST(TA1220_create_key_pair_rsa_already_exists, UserEnv) Policy()); } -RUNNER_TEST(TA1250_create_key_pair_rsa_positive, UserEnv) +RUNNER_TEST(TA1250_create_key_pair_RSA_positive, UserEnv) { test_positive(&ManagerAsync::createKeyPairRSA, 1024, @@ -728,7 +771,7 @@ RUNNER_TEST(TA1250_create_key_pair_rsa_positive, UserEnv) } // createKeyPairDSA -RUNNER_TEST(TA1270_create_key_pair_dsa_invalid_param, UserEnv) +RUNNER_TEST(TA1270_create_key_pair_DSA_invalid_param, UserEnv) { test_no_observer(&ManagerAsync::createKeyPairDSA, 1024, @@ -738,7 +781,7 @@ RUNNER_TEST(TA1270_create_key_pair_dsa_invalid_param, UserEnv) Policy()); } -RUNNER_TEST(TA1280_create_key_pair_dsa_already_exists, UserEnv) +RUNNER_TEST(TA1280_create_key_pair_DSA_already_exists, UserEnv) { test_positive(&ManagerAsync::saveKey, "alias_prv", keys[DSA][0].prv, Policy()); test_negative(&ManagerAsync::createKeyPairDSA, @@ -750,7 +793,7 @@ RUNNER_TEST(TA1280_create_key_pair_dsa_already_exists, UserEnv) Policy()); } -RUNNER_TEST(TA1290_create_key_pair_dsa_positive, UserEnv) +RUNNER_TEST(TA1290_create_key_pair_DSA_positive, UserEnv) { test_positive(&ManagerAsync::createKeyPairDSA, 1024, @@ -764,7 +807,7 @@ RUNNER_TEST(TA1290_create_key_pair_dsa_positive, UserEnv) } // createKeyPairECDSA -RUNNER_TEST(TA1310_create_key_pair_ecdsa_invalid_param, UserEnv) +RUNNER_TEST(TA1310_create_key_pair_ECDSA_invalid_param, UserEnv) { test_no_observer(&ManagerAsync::createKeyPairECDSA, ElipticCurve::prime192v1, @@ -774,7 +817,7 @@ RUNNER_TEST(TA1310_create_key_pair_ecdsa_invalid_param, UserEnv) Policy()); } -RUNNER_TEST(TA1320_create_key_pair_ecdsa_already_exists, UserEnv) +RUNNER_TEST(TA1320_create_key_pair_ECDSA_already_exists, UserEnv) { test_positive(&ManagerAsync::saveKey, "alias_prv", keys[ECDSA][0].prv, Policy()); test_negative(&ManagerAsync::createKeyPairECDSA, @@ -786,7 +829,7 @@ RUNNER_TEST(TA1320_create_key_pair_ecdsa_already_exists, UserEnv) Policy()); } -RUNNER_TEST(TA1350_create_key_pair_ecdsa_positive, UserEnv) +RUNNER_TEST(TA1350_create_key_pair_ECDSA_positive, UserEnv) { test_positive(&ManagerAsync::createKeyPairECDSA, ElipticCurve::prime192v1, @@ -799,6 +842,34 @@ RUNNER_TEST(TA1350_create_key_pair_ecdsa_positive, UserEnv) aliasWithLabel(TEST_LABEL, "alias_pub") }); } +// createKeyAES +RUNNER_TEST(TA1360_create_key_AES_invalid_param, UserEnv) +{ + test_invalid_param(&ManagerAsync::createKeyAES, + 147, + "alias_AES", + Policy()); +} + +RUNNER_TEST(TA1370_create_key_AES_already_exists, UserEnv) +{ + test_positive(&ManagerAsync::saveKey, "alias_AES", keys[AES][0].prv, Policy()); + test_negative(&ManagerAsync::createKeyAES, + CKM_API_ERROR_DB_ALIAS_EXISTS, + 256, + "alias_AES", + Policy()); +} + +RUNNER_TEST(TA1380_create_key_AES_positive, UserEnv) +{ + test_positive(&ManagerAsync::createKeyAES, + 256, + "alias_AES", + Policy()); + + test_check_aliases(&ManagerAsync::getKeyAliasVector, { aliasWithLabel(TEST_LABEL, "alias_AES")}); +} // getCertificateChain RUNNER_TEST(TA1410_get_certificate_chain_invalid_param, UserEnv) diff --git a/src/ckm/capi-testcases.cpp b/src/ckm/capi-testcases.cpp index 60f22395..7db534ae 100644 --- a/src/ckm/capi-testcases.cpp +++ b/src/ckm/capi-testcases.cpp @@ -169,7 +169,7 @@ RUNNER_TEST(T3017_Control_C_API_remove_system_DB) RUNNER_TEST_GROUP_INIT (T302_CKMC_QUICK_SET_GET_TESTS_C_API); -RUNNER_TEST(T3021_init_C_API) +RUNNER_TEST(T30201_init_C_API) { int temp; @@ -179,7 +179,7 @@ RUNNER_TEST(T3021_init_C_API) CKMCReadableError(temp)); } -RUNNER_TEST(T3022_key_C_API) +RUNNER_TEST(T30202_RSA_key_C_API) { int temp; @@ -221,7 +221,32 @@ RUNNER_TEST(T3022_key_C_API) CKMCReadableError(temp)); } -RUNNER_TEST(T3023_certificate_C_API) +RUNNER_TEST(T30203_AES_key_C_API) +{ + int temp; + CKM::Alias alias = sharedDatabase("my_AES_key"); + size_t key_length = 192; + + ckmc_key_s *test_key = generate_AES_key(key_length, NULL); + ckmc_key_s *test_key2; + ckmc_policy_s test_policy; + test_policy.password = NULL; + test_policy.extractable = 1; + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(alias.c_str(), *test_key, test_policy)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_get_key(alias.c_str(), NULL, &test_key2)), + CKMCReadableError(temp)); + + compare_AES_keys(test_key, test_key2); + ckmc_key_free(test_key); + ckmc_key_free(test_key2); +} + +RUNNER_TEST(T30204_certificate_C_API) { int temp; @@ -254,7 +279,7 @@ RUNNER_TEST(T3023_certificate_C_API) ckmc_cert_free(cert2); } -RUNNER_TEST(T3024_certificate_remove_C_API) +RUNNER_TEST(T30205_certificate_remove_C_API) { int temp; @@ -276,7 +301,7 @@ RUNNER_TEST(T3024_certificate_remove_C_API) CKMCReadableError(temp)); } -RUNNER_TEST(T3025_certificate_list_C_API) +RUNNER_TEST(T30206_certificate_list_C_API) { int temp; @@ -316,7 +341,7 @@ RUNNER_TEST(T3025_certificate_list_C_API) } -RUNNER_CHILD_TEST(T3026_user_app_save_key_C_API) +RUNNER_CHILD_TEST(T30207_user_app_save_RSA_key_C_API) { ScopedAccessProvider ap("mylabel"); ap.allowAPI("key-manager::api-storage", "rw"); @@ -363,9 +388,62 @@ RUNNER_CHILD_TEST(T3026_user_app_save_key_C_API) // RUNNER_ASSERT_MSG( // key.getDER() == key2.getDER(), "Key value has been changed by service"); + + delete [] char_keypem; +} + +RUNNER_CHILD_TEST(T30208_user_app_save_AES_key_C_API) +{ + AccessProvider ap("mylabel"); + ap.allowAPI("key-manager::api-storage", "rw"); + ap.applyAndSwithToUser(USER_APP, GROUP_APP); + + int temp; + const char* password = NULL; + size_t key_length = 192; + CKM::Alias alias = "my_AES_key"; + + ckmc_key_s *test_key = generate_AES_key(key_length, password); + ckmc_key_s *test_key2; + ckmc_policy_s test_policy; + test_policy.password = const_cast(password); + test_policy.extractable = 1; + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(alias.c_str(), *test_key, test_policy)), + CKMCReadableError(temp)); + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_get_key(alias.c_str(), password, &test_key2)), + CKMCReadableError(temp)); + + compare_AES_keys(test_key, test_key2); + ckmc_key_free(test_key); + ckmc_key_free(test_key2); } -RUNNER_CHILD_TEST(T3027_app_user_save_keys_exportable_flag) +RUNNER_CHILD_TEST(T30209_user_app_save_AES_key_passwd_C_API) +{ + AccessProvider ap("mylabel"); + ap.allowAPI("key-manager::api-storage", "rw"); + ap.applyAndSwithToUser(USER_APP, GROUP_APP); + + int temp; + const char* password = "x"; + size_t key_length = 192; + CKM::Alias alias = "my_AES_key-2"; + + ckmc_key_s *test_key = generate_AES_key(key_length, password); + ckmc_policy_s test_policy; + test_policy.password = const_cast(password); + test_policy.extractable = 1; + + RUNNER_ASSERT_MSG( + CKMC_ERROR_INVALID_PARAMETER == (temp = ckmc_save_key(alias.c_str(), *test_key, test_policy)), + CKMCReadableError(temp)); + ckmc_key_free(test_key); +} + +RUNNER_CHILD_TEST(T30210_app_user_save_RSA_keys_exportable_flag) { ScopedAccessProvider ap("mylabel"); ap.allowAPI("key-manager::api-storage", "rw"); @@ -393,7 +471,7 @@ RUNNER_CHILD_TEST(T3027_app_user_save_keys_exportable_flag) test_key.raw_key = (unsigned char *)char_keypem; test_key.key_size = keyPem.length(); test_key.key_type = CKMC_KEY_RSA_PUBLIC; - test_key.password = password; + test_key.password = NULL; test_policy.password = password; test_policy.extractable = 0; @@ -407,8 +485,34 @@ RUNNER_CHILD_TEST(T3027_app_user_save_keys_exportable_flag) CKMCReadableError(temp)); } +RUNNER_CHILD_TEST(T30211_app_user_save_AES_keys_exportable_flag) +{ + AccessProvider ap("mylabel"); + ap.allowAPI("key-manager::api-storage", "rw"); + ap.applyAndSwithToUser(USER_APP, GROUP_APP); -RUNNER_TEST(T3028_certificate_with_DSA_key_C_API) + int temp; + const char* password = NULL; + size_t key_length = 256; + CKM::Alias alias = "my_AES_key-3"; + + ckmc_key_s *test_key = generate_AES_key(key_length, password); + ckmc_key_s *test_key2; + ckmc_policy_s test_policy; + test_policy.password = const_cast(password); + test_policy.extractable = 0; + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(alias.c_str(), *test_key, test_policy)), + CKMCReadableError(temp)); + ckmc_key_free(test_key); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NOT_EXPORTABLE == (temp = ckmc_get_key(alias.c_str(), password, &test_key2)), + CKMCReadableError(temp)); +} + +RUNNER_TEST(T30212_certificate_with_DSA_key_C_API) { int temp; @@ -440,7 +544,7 @@ RUNNER_TEST(T3028_certificate_with_DSA_key_C_API) ckmc_cert_free(cert2); } -RUNNER_TEST(T3029_deinit_C_API) +RUNNER_TEST(T30213_deinit_C_API) { int temp; @@ -466,7 +570,7 @@ RUNNER_TEST(T3031_init_C_API) CKMCReadableError(temp)); } -RUNNER_TEST(T3032_save_keys_get_alias_C_API) +RUNNER_TEST(T3032_save_asymmetric_keys_get_alias_C_API) { int temp; @@ -522,7 +626,7 @@ RUNNER_TEST(T3032_save_keys_get_alias_C_API) } -RUNNER_TEST(T3033_remove_key_C_API) +RUNNER_TEST(T3033_remove_asymmetric_key_C_API) { int temp; @@ -542,7 +646,72 @@ RUNNER_TEST(T3033_remove_key_C_API) CKMCReadableError(temp)); } -RUNNER_TEST(T3034_deinit_C_API) +RUNNER_TEST(T3034_save_symmetric_keys_get_alias_C_API) +{ + int temp; + size_t key_length = 128; + ckmc_key_s *test_key = generate_AES_key(key_length, NULL); + ckmc_policy_s test_policy1, test_policy2, test_policy3; + test_policy1.password = NULL; + test_policy1.extractable = 1; + + test_policy2.password = NULL; + test_policy2.extractable = 1; + + test_policy3.password = NULL; + test_policy3.extractable = 1; + + int current_aliases_num = count_aliases(ALIAS_KEY); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(sharedDatabase("AES_key1").c_str(), *test_key, test_policy1)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(sharedDatabase("AES_key2").c_str(), *test_key, test_policy2)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(sharedDatabase("AES_key3").c_str(), *test_key, test_policy3)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + (current_aliases_num+3) == (temp = count_aliases(ALIAS_KEY)), + "Error: expecting " << (current_aliases_num+3) << " aliases, while found " << temp); + + ckmc_key_free(test_key); +} + + +RUNNER_TEST(T3035_remove_symmetric_key_C_API) +{ + int temp; + + ckmc_key_s *test_key2; + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_get_key(sharedDatabase("AES_key1").c_str(), NULL, &test_key2)), + CKMCReadableError(temp)); + validate_AES_key(test_key2); + ckmc_key_free(test_key2); + + // actual test - remove middle item + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_remove_key(sharedDatabase("AES_key2").c_str())), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_DB_ALIAS_UNKNOWN == (temp = ckmc_get_key(sharedDatabase("AES_key2").c_str(), NULL, &test_key2)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_get_key(sharedDatabase("AES_key3").c_str(), NULL, &test_key2)), + CKMCReadableError(temp)); + validate_AES_key(test_key2); + ckmc_key_free(test_key2); + +} + +RUNNER_TEST(T3036_deinit_C_API) { int temp; @@ -762,7 +931,7 @@ RUNNER_TEST(T3051_CAPI_init) CKMCReadableError(temp)); } -RUNNER_CHILD_TEST(T3052_CAPI_create_rsa_key) +RUNNER_CHILD_TEST(T3052_CAPI_create_RSA_key) { int temp; @@ -822,7 +991,7 @@ RUNNER_CHILD_TEST(T3052_CAPI_create_rsa_key) CKMCReadableError(temp)); } -RUNNER_CHILD_TEST(T3053_CAPI_create_dsa_key) +RUNNER_CHILD_TEST(T3053_CAPI_create_DSA_key) { int temp; @@ -884,7 +1053,36 @@ RUNNER_CHILD_TEST(T3053_CAPI_create_dsa_key) } -RUNNER_TEST(T3054_CAPI_deinit) +RUNNER_CHILD_TEST(T3054_CAPI_create_AES_key) +{ + int temp; + size_t size = 128; + CKM::Alias key_alias = sharedDatabase("AES-gen-test-1"); + ckmc_policy_s policy_key; + + policy_key.password = NULL; + policy_key.extractable = 1; + + int current_aliases_num = count_aliases(ALIAS_KEY); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_create_key_aes(size, key_alias.c_str(), policy_key)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + (current_aliases_num+1) == (temp = count_aliases(ALIAS_KEY)), + "Error: expecting " << (current_aliases_num+2) << " aliases, while found " << temp); + + ckmc_key_s *get_AES_key = 0; + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_get_key(key_alias.c_str(), policy_key.password, &get_AES_key)), + CKMCReadableError(temp)); + validate_AES_key(get_AES_key); + ckmc_key_free(get_AES_key); +} + + +RUNNER_TEST(T3055_CAPI_deinit) { int temp; diff --git a/src/ckm/cc-mode.cpp b/src/ckm/cc-mode.cpp index 421b998a..08395d9b 100644 --- a/src/ckm/cc-mode.cpp +++ b/src/ckm/cc-mode.cpp @@ -106,6 +106,8 @@ Alias rsa_pri_alias = sharedDatabase("rsa-private-T2002"); Alias rsa_pub_alias = sharedDatabase("rsa-public-T2002"); Alias ecdsa_pri_alias = sharedDatabase("ecdsa-private-T2002"); Alias ecdsa_pub_alias = sharedDatabase("ecdsa-public-T2002"); +Alias aes_alias = sharedDatabase("aes-T2002"); +size_t aes_length = 128; void save_keys() { @@ -129,6 +131,13 @@ void save_keys() Policy(Password(), true), Policy(Password(), true))), "Error=" << ErrorToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = manager->createKeyAES( + aes_length, + aes_alias, + Policy(Password(), true))), + "Error=" << ErrorToString(temp)); } void read_key(ManagerShPtr& manager, const Alias& alias, int expected) { @@ -150,6 +159,7 @@ void read_keys(int expected) read_key(manager, rsa_pri_alias, expected); read_key(manager, ecdsa_pri_alias, expected); + read_key(manager, aes_alias, expected); } void update_cc_mode() diff --git a/src/ckm/ckm-common.cpp b/src/ckm/ckm-common.cpp index 87c3c88e..47b4012b 100644 --- a/src/ckm/ckm-common.cpp +++ b/src/ckm/ckm-common.cpp @@ -20,7 +20,6 @@ */ #include #include - #include #include #include @@ -31,8 +30,23 @@ #include #include #include +#include #include +void generate_random(size_t random_bytes, char *output) +{ + RUNNER_ASSERT(random_bytes>0 && output); + + std::ifstream is("/dev/urandom", std::ifstream::binary); + RUNNER_ASSERT_MSG(is, "Failed to read /dev/urandom"); + is.read(output, random_bytes); + if(static_cast(random_bytes) != is.gcount()) { + RUNNER_ASSERT_MSG(false, + "Not enough bytes read from /dev/urandom: " << random_bytes << "!=" << + is.gcount()); + } +} + const char* SERVICE[] = { "central-key-manager-listener.service", "central-key-manager.service" }; @@ -458,24 +472,63 @@ std::string sharedDatabase(const CKM::Alias & alias) return aliasWithLabel(ckmc_label_shared_owner, alias.c_str()); } -ckmc_raw_buffer_s* createRandomBuffer(size_t len) +ckmc_raw_buffer_s* createRandomBufferCAPI(size_t random_bytes) { ckmc_raw_buffer_s* buffer = NULL; - char* data = static_cast(malloc(len*sizeof(char))); - std::ifstream is("/dev/urandom", std::ifstream::binary); - RUNNER_ASSERT_MSG(is, "Failed to read /dev/urandom"); - is.read(data, len); - if(static_cast(len) != is.gcount()) { - free(data); - RUNNER_ASSERT_MSG(false, - "Not enough bytes read from /dev/urandom: " << len << "!=" << - is.gcount()); - } - int ret = ckmc_buffer_new(reinterpret_cast(data), len, &buffer); + char* data = static_cast(malloc(random_bytes*sizeof(char))); + RUNNER_ASSERT(data); + generate_random(random_bytes, data); + int ret = ckmc_buffer_new(reinterpret_cast(data), random_bytes, &buffer); RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Buffer creation failed: " << CKMCErrorToString(ret)); return buffer; } +CKM::RawBuffer createRandomBuffer(size_t random_bytes) +{ + char buffer[random_bytes]; + generate_random(random_bytes, buffer); + return CKM::RawBuffer(buffer, buffer + random_bytes); +} + +ckmc_key_s *generate_AES_key(size_t lengthBits, const char *passwd) +{ + ckmc_key_s *retval = reinterpret_cast(malloc(sizeof(ckmc_key_s))); + RUNNER_ASSERT(retval != NULL); + + RUNNER_ASSERT(lengthBits%8 == 0); + char *char_key_AES = reinterpret_cast(malloc(lengthBits/8)); + RUNNER_ASSERT(char_key_AES != NULL); + generate_random(lengthBits/8, char_key_AES); + + retval->raw_key = reinterpret_cast(char_key_AES); + retval->key_size = lengthBits/8; + retval->key_type = CKMC_KEY_AES; + retval->password = passwd?strdup(passwd):NULL; + + return retval; +} + +void validate_AES_key(ckmc_key_s *analyzed) +{ + RUNNER_ASSERT_MSG(analyzed, "provided key is NULL"); + RUNNER_ASSERT_MSG(analyzed->raw_key != NULL, "provided key is empty"); + RUNNER_ASSERT_MSG(analyzed->key_size==(128/8) || + analyzed->key_size==(192/8) || + analyzed->key_size==(256/8), "provided key length is invalid"); + RUNNER_ASSERT_MSG(analyzed->key_type = CKMC_KEY_AES, "expected AES key, while got: " << analyzed->key_type); +} + +void compare_AES_keys(ckmc_key_s *first, ckmc_key_s *second) +{ + validate_AES_key(first); + validate_AES_key(second); + RUNNER_ASSERT_MSG( + (first->key_size==second->key_size) && + (memcmp(first->raw_key, second->raw_key, first->key_size)==0), + "data has been modified in key manager"); + // bypassing password intentionally +} + ParamListPtr createParamListPtr() { ckmc_param_list_s* list = NULL; diff --git a/src/ckm/ckm-common.h b/src/ckm/ckm-common.h index b453ba05..6f3969ba 100644 --- a/src/ckm/ckm-common.h +++ b/src/ckm/ckm-common.h @@ -180,6 +180,12 @@ typedef enum { } alias_type_; size_t count_aliases(alias_type_ type, size_t minimum_initial_element_count = 0); std::string sharedDatabase(const CKM::Alias & alias); +CKM::RawBuffer createRandomBuffer(size_t random_bytes); +ckmc_raw_buffer_s* createRandomBufferCAPI(size_t random_bytes); + +ckmc_key_s *generate_AES_key(size_t lengthBits, const char *passwd); +void validate_AES_key(ckmc_key_s *analyzed); +void compare_AES_keys(ckmc_key_s *first, ckmc_key_s *second); // true if equal // Test env class for database cleanup. Pass database uids to cleanup before and after test template @@ -209,8 +215,6 @@ public: } }; -ckmc_raw_buffer_s* createRandomBuffer(size_t len); - typedef std::shared_ptr RawBufferPtr; typedef std::shared_ptr ParamListPtr; diff --git a/src/ckm/main.cpp b/src/ckm/main.cpp index cb2458e8..ca3eaa73 100644 --- a/src/ckm/main.cpp +++ b/src/ckm/main.cpp @@ -667,7 +667,7 @@ RUNNER_TEST(T1040_init) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_CHILD_TEST(T1041_create_rsa_key) +RUNNER_CHILD_TEST(T1041_create_RSA_key) { int temp; auto manager = CKM::Manager::create(); @@ -689,7 +689,7 @@ RUNNER_CHILD_TEST(T1041_create_rsa_key) "Vector size: " << temp << ". Expected: " << (current_aliases_num+2)); } -RUNNER_CHILD_TEST(T1042_create_rsa_key_foreign_label) +RUNNER_CHILD_TEST(T1042_create_RSA_key_foreign_label) { int temp; auto manager = CKM::Manager::create(); @@ -707,7 +707,7 @@ RUNNER_CHILD_TEST(T1042_create_rsa_key_foreign_label) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_CHILD_TEST(T1043_create_dsa_key) +RUNNER_CHILD_TEST(T1043_create_DSA_key) { int temp; auto manager = CKM::Manager::create(); @@ -729,6 +729,28 @@ RUNNER_CHILD_TEST(T1043_create_dsa_key) "Vector size: " << temp << ". Expected: " << (current_aliases_num+2)); } +RUNNER_CHILD_TEST(T1044_create_AES_key) +{ + int temp; + auto manager = CKM::Manager::create(); + CKM::AliasVector av; + + AccessProvider ap("mylabel-aes"); + ap.allowAPI("key-manager::api-storage", "rw"); + ap.applyAndSwithToUser(USER_APP, GROUP_APP); + + int current_aliases_num = count_aliases(ALIAS_KEY); + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = manager->createKeyAES(128, CKM::Alias("KEY1_AES"), CKM::Policy())), + "Error=" << CKM::ErrorToString(temp)); + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = manager->getKeyAliasVector(av)), + "Error=" << CKM::ErrorToString(temp)); + RUNNER_ASSERT_MSG( + (current_aliases_num+1) == (temp = av.size()), + "Vector size: " << temp << ". Expected: " << (current_aliases_num+1)); +} + RUNNER_TEST(T1049_deinit) { remove_user_data(USER_APP); @@ -1070,7 +1092,7 @@ RUNNER_TEST(T12113_getData_alias_not_exist) /* * These test cases tests API when damaged keys are used */ -RUNNER_TEST(T12114_rsa_key_damaged) +RUNNER_TEST(T12114_RSA_key_damaged) { ScopedAccessProvider ap("mylabel"); ap.allowAPI("key-manager::api-storage", "rw"); @@ -1102,7 +1124,7 @@ RUNNER_TEST(T12114_rsa_key_damaged) "Error=" << CKM::ErrorToString(ret)); } -RUNNER_TEST(T12115_rsa_key_too_short) +RUNNER_TEST(T12115_RSA_key_too_short) { ScopedAccessProvider ap("mylabel"); ap.allowAPI("key-manager::api-storage", "rw"); @@ -1131,7 +1153,7 @@ RUNNER_TEST(T12115_rsa_key_too_short) "Error=" << CKM::ErrorToString(ret)); } -RUNNER_TEST(T12116_dsa_key_too_short) +RUNNER_TEST(T12116_DSA_key_too_short) { ScopedAccessProvider ap("mylabel"); ap.allowAPI("key-manager::api-storage", "rw"); @@ -1163,12 +1185,27 @@ RUNNER_TEST(T12116_dsa_key_too_short) "Error=" << CKM::ErrorToString(ret)); } +RUNNER_TEST(T12117_AES_key_too_short) +{ + int ret; + auto manager = CKM::Manager::create(); + + size_t key_size = (128-1); + CKM::RawBuffer key_AES = createRandomBuffer(key_size/8); + + auto key = CKM::Key::create(key_AES); + CKM::Alias alias = "short-AES"; + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_INPUT_PARAM == (ret = manager->saveKey(alias, key, CKM::Policy())), + "Error=" << CKM::ErrorToString(ret)); +} /* * These test cases tests CKM service if malicious data is provided over the socket. */ -RUNNER_TEST(T12117_rsa_key_damaged_serviceTest) +RUNNER_TEST(T12118_RSA_key_damaged_serviceTest) { ScopedAccessProvider ap("mylabel"); ap.allowAPI("key-manager::api-storage", "rw"); @@ -1215,7 +1252,7 @@ RUNNER_TEST(T12117_rsa_key_damaged_serviceTest) "Error=" << CKM::ErrorToString(ret)); } -RUNNER_TEST(T12118_saveCertificate_damaged_serviceTest) +RUNNER_TEST(T12119_saveCertificate_damaged_serviceTest) { ScopedAccessProvider ap("mylabel"); ap.allowAPI("key-manager::api-storage", "rw"); @@ -1261,7 +1298,7 @@ RUNNER_TEST(T12118_saveCertificate_damaged_serviceTest) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_TEST(T12119_deinit) +RUNNER_TEST(T12120_deinit) { remove_user_data(USER_APP); } @@ -1402,7 +1439,7 @@ RUNNER_TEST(T1411_init) remove_user_data(0); } -RUNNER_TEST(T1412_rsa_key_create_verify) +RUNNER_TEST(T1412_RSA_key_create_verify) { int temp; auto manager = CKM::Manager::create(); @@ -1493,7 +1530,7 @@ RUNNER_TEST(T1412_rsa_key_create_verify) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_TEST(T1413_dsa_key_create_verify) +RUNNER_TEST(T1413_DSA_key_create_verify) { int temp; auto manager = CKM::Manager::create(); @@ -1569,7 +1606,7 @@ RUNNER_TEST(T1413_dsa_key_create_verify) } -RUNNER_TEST(T1414_ec_key_create_verify) +RUNNER_TEST(T1414_ECDSA_key_create_verify) { int temp; auto manager = CKM::Manager::create(); @@ -1643,7 +1680,7 @@ RUNNER_TEST(T1414_ec_key_create_verify) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_TEST(T1415_rsa_key_create_verify_negative) +RUNNER_TEST(T1415_RSA_key_create_verify_negative) { int temp; auto manager = CKM::Manager::create(); @@ -1690,7 +1727,7 @@ RUNNER_TEST(T1415_rsa_key_create_verify_negative) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_TEST(T1416_dsa_key_create_verify_negative) +RUNNER_TEST(T1416_DSA_key_create_verify_negative) { int temp; auto manager = CKM::Manager::create(); @@ -1737,7 +1774,7 @@ RUNNER_TEST(T1416_dsa_key_create_verify_negative) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_TEST(T1417_rsa_cert_create_verify_signature) +RUNNER_TEST(T1417_RSA_cert_create_verify_signature) { int temp; auto manager = CKM::Manager::create(); @@ -1835,7 +1872,7 @@ RUNNER_TEST(T1417_rsa_cert_create_verify_signature) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_TEST(T1418_dsa_cert_create_verify_signature) +RUNNER_TEST(T1418_DSA_cert_create_verify_signature) { int temp; auto manager = CKM::Manager::create(); @@ -1932,7 +1969,7 @@ RUNNER_TEST(T1418_dsa_cert_create_verify_signature) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_TEST(T1419_ecdsa_cert_create_verify_signature) +RUNNER_TEST(T1419_ECDSA_cert_create_verify_signature) { int temp; auto manager = CKM::Manager::create(); @@ -2130,7 +2167,7 @@ RUNNER_TEST(T14180_init) } -RUNNER_TEST(T14181_rsa_create_signatue_nohash) +RUNNER_TEST(T14181_RSA_create_signatue_nohash) { int temp; auto manager = CKM::Manager::create(); @@ -2177,7 +2214,7 @@ RUNNER_TEST(T14181_rsa_create_signatue_nohash) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_TEST(T14182_rsa_create_signatue_nohash_nopad) +RUNNER_TEST(T14182_RSA_create_signatue_nohash_nopad) { int temp; auto manager = CKM::Manager::create(); @@ -2201,7 +2238,7 @@ RUNNER_TEST(T14182_rsa_create_signatue_nohash_nopad) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_TEST(T14183_rsa_create_signatue_nohash_bigmsg) +RUNNER_TEST(T14183_RSA_create_signatue_nohash_bigmsg) { int temp; auto manager = CKM::Manager::create(); @@ -2245,7 +2282,7 @@ RUNNER_TEST(T14183_rsa_create_signatue_nohash_bigmsg) } -RUNNER_TEST(T14184_ec_create_signatue_nohash) +RUNNER_TEST(T14184_ECDSA_create_signatue_nohash) { int temp; auto manager = CKM::Manager::create(); @@ -2293,7 +2330,7 @@ RUNNER_TEST(T14184_ec_create_signatue_nohash) "Error=" << CKM::ErrorToString(temp)); } -RUNNER_TEST(T14185_ec_create_signatue_nohash_bigmsg) +RUNNER_TEST(T14185_ECDSA_create_signatue_nohash_bigmsg) { int temp; auto manager = CKM::Manager::create();