From: Konrad Lipinski <k.lipinski2@samsung.com>
Date: Tue, 1 Oct 2019 13:09:16 +0000 (+0200)
Subject: CKM: Test asymmetric key initial value import
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cf5d95cd734d5159b72ec7b7824e8540c3b111cb;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git

CKM: Test asymmetric key initial value import

Change-Id: I48a977ee84602ab71b9889e39e79a004811f5f48
---

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 01ce9fb..2c6f1e0 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,7 +34,7 @@ INCLUDE(FindPkgConfig)
 ############################# compiler flags ##################################
 
 SET(CMAKE_C_FLAGS              "-g")
-SET(CMAKE_CXX_FLAGS            "-g -std=c++0x")
+SET(CMAKE_CXX_FLAGS            "-g -std=c++14")
 SET(CMAKE_C_FLAGS_PROFILING    "-O0 -pg")
 SET(CMAKE_CXX_FLAGS_PROFILING  "-O0 -pg")
 SET(CMAKE_C_FLAGS_DEBUG        "-O0 -ggdb")
diff --git a/src/ckm/privileged/CMakeLists.txt b/src/ckm/privileged/CMakeLists.txt
index c83e5b2..705562c 100644
--- a/src/ckm/privileged/CMakeLists.txt
+++ b/src/ckm/privileged/CMakeLists.txt
@@ -26,6 +26,9 @@ SET(EIV_KEY_TO_BE_IMPORTED "KeyOne16BytesLen")
 SET(EIV_PLAIN_MESSAGE "ShortTestMessage")
 SET(EIV_MESSAGE_ENCRYPTION_IV "abcdefghijklmnop")
 
+SET(EIV_TEST_ASYM_XML_FILENAME "encrypted_initial_values_asym.xml")
+SET(EIV_TEST_ASYM_XML ${CMAKE_CURRENT_SOURCE_DIR}/${EIV_TEST_ASYM_XML_FILENAME})
+
 # encrypt ShortTestMessage using the imported key and 'abcdefghijklmnop' IV
 EXECUTE_PROCESS(
     COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/aes_128_cbc_encrypt.sh ${EIV_KEY_TO_BE_IMPORTED} ${EIV_MESSAGE_ENCRYPTION_IV}
@@ -38,18 +41,39 @@ IF(NOT ${EIV_ENCRYPTION_RESULT} STREQUAL "0")
     MESSAGE(FATAL_ERROR "Encryption failed: ${EIV_ENCRYPTION_STDERR}")
 ENDIF(NOT ${EIV_ENCRYPTION_RESULT} STREQUAL "0")
 
+SET(EIV_FILES ${EIV_TEST_XML} ${EIV_TEST_ASYM_XML})
+
 # prepare initial values xml target
-ADD_CUSTOM_COMMAND(OUTPUT ${EIV_TEST_XML}
-    COMMAND echo -n ${EIV_KEY_TO_BE_IMPORTED} > /tmp/key
+ADD_CUSTOM_COMMAND(OUTPUT ${EIV_FILES}
     COMMAND echo -n THIS/STRING/MUST/BE/REPLACED/IN/REAL/DEVICE= | base64 --decode > /tmp/encryption_key
-    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/key -k /tmp/encryption_key -n TEI_0 -t Key -s AES -b hardware -x ${EIV_TEST_XML}
+
+    COMMAND echo -n ${EIV_KEY_TO_BE_IMPORTED} > /tmp/key
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/key -k /tmp/encryption_key -n TEI_0 -t Key -s AES -b hardware > ${EIV_TEST_XML}
+
+    COMMAND openssl genpkey -algorithm RSA -outform DER > /tmp/prvkey
+    COMMAND openssl rsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_RSA_PRV -t Key -s RSA_PRV > ${EIV_TEST_ASYM_XML}
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_RSA_PUB -t Key -s RSA_PUB -x ${EIV_TEST_ASYM_XML}
+
+    COMMAND openssl genpkey -algorithm RSA -outform PEM > /tmp/prvkey.pem
+    COMMAND openssl pkcs8 -topk8 -inform PEM -in /tmp/prvkey.pem -outform DER -nocrypt -out /tmp/prvkey
+    COMMAND openssl rsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_RSA_PKCS8_PRV -t Key -s RSA_PRV -x ${EIV_TEST_ASYM_XML}
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_RSA_PKCS8_PUB -t Key -s RSA_PUB -x ${EIV_TEST_ASYM_XML}
+
+    COMMAND openssl genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt dsa_paramgen_q_bits:160 > /tmp/params.pem
+    COMMAND openssl genpkey -paramfile /tmp/params.pem -outform DER > /tmp/prvkey
+    COMMAND openssl dsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_DSA_PRV -t Key -s DSA_PRV -x ${EIV_TEST_ASYM_XML}
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_DSA_PUB -t Key -s DSA_PUB -x ${EIV_TEST_ASYM_XML}
+
     COMMENT "Generating encrypted initial values test xml"
     VERBATIM
 )
 
-ADD_CUSTOM_TARGET(TARGET_EIV_TEST_XML DEPENDS ${EIV_TEST_XML})
+ADD_CUSTOM_TARGET(TARGET_EIV_TEST_XML DEPENDS ${EIV_FILES})
 
-INSTALL(FILES ${EIV_TEST_XML} DESTINATION ${CKM_TEST_DIR})
+INSTALL(FILES ${EIV_FILES} DESTINATION ${CKM_TEST_DIR})
 
 # ckm-tests
 PKG_CHECK_MODULES(CKM_DEP
@@ -90,6 +114,7 @@ TARGET_COMPILE_DEFINITIONS(${TARGET_CKM_PRIVILEGED_TESTS}
     PRIVATE EIV_ENCRYPTED_MESSAGE_HEX="${EIV_ENCRYPTED_MESSAGE_HEX}"
     PRIVATE EIV_MESSAGE_ENCRYPTION_IV="${EIV_MESSAGE_ENCRYPTION_IV}"
     PRIVATE EIV_TEST_XML_FILENAME="${EIV_TEST_XML_FILENAME}"
+    PRIVATE EIV_TEST_ASYM_XML_FILENAME="${EIV_TEST_ASYM_XML_FILENAME}"
 )
 
 INSTALL(TARGETS ${TARGET_CKM_PRIVILEGED_TESTS} DESTINATION bin)
diff --git a/src/ckm/privileged/initial-values.cpp b/src/ckm/privileged/initial-values.cpp
index ab3629b..3953ac1 100644
--- a/src/ckm/privileged/initial-values.cpp
+++ b/src/ckm/privileged/initial-values.cpp
@@ -63,40 +63,36 @@ std::string XML_3_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "
 std::string XML_3_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
 std::string XML_3_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
 
-std::string format_src_path(const char *file)
+auto format_dest_path(const char *file)
 {
-    return std::string(CKM_TEST_DIR) + std::string(file);
+    return std::string(CKM_RW_DATA_DIR "/initial_values/") + file;
 }
 
-std::string format_dest_path(const char *file)
-{
-    return std::string(CKM_RW_DATA_DIR) + std::string( "/initial_values/") + std::string(file);
+void test_not_exists(const char *file) {
+    const auto name = format_dest_path(file);
+    const bool file_exists = access(name.c_str(), F_OK) != -1;
+    RUNNER_ASSERT_MSG(!file_exists, "File " << name << " exists");
 }
 
-void copy_file(const std::string &from, const std::string &to)
+void copy_file(const char *file)
 {
-    std::ifstream infile(from, std::ios_base::binary);
-    RUNNER_ASSERT_MSG(infile, "Input file " << from << " does not exist.");
-    std::ofstream outfile(to, std::ios_base::binary);
-    RUNNER_ASSERT_MSG(outfile, "Output file " << to << " does not exist. Reinstall key-manager.");
+    const auto src = std::string(CKM_TEST_DIR) + file;
+    const auto dest = format_dest_path(file);
+    std::ifstream infile(src, std::ios_base::binary);
+    RUNNER_ASSERT_MSG(infile, "Input file " << src << " does not exist.");
+    std::ofstream outfile(dest, std::ios_base::binary);
+    RUNNER_ASSERT_MSG(outfile, "Output file " << dest << " does not exist. Reinstall key-manager.");
     outfile << infile.rdbuf();
 }
 
-void restart_key_manager()
+void restart_key_manager(const std::initializer_list<const char * const> files_to_copy = {})
 {
     stop_service(MANAGER);
+    for (const auto f : files_to_copy)
+        copy_file(f);
     start_service(MANAGER);
 }
 
-void test_exists(const std::string& name, bool expected) {
-    bool file_exists = (access( name.c_str(), F_OK ) != -1);
-    RUNNER_ASSERT_MSG(file_exists == expected,
-                      "File " << name << " status: " << file_exists <<
-                      " while expected: " << expected);
-}
-
-}
-
 int hexToBin(char h) {
     if (h >= '0' && h <= '9')
         return h - '0';
@@ -117,6 +113,8 @@ CKM::RawBuffer hexToBin(std::string &hex) {
     return output;
 }
 
+} // namespace
+
 RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
 
 RUNNER_TEST(T6001_init)
@@ -128,19 +126,10 @@ RUNNER_TEST(T6001_init)
     // restart the key-manager
     // check XML file doesn't exist
 
-    copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
-    copy_file(format_src_path(XML_2_okay), format_dest_path(XML_2_okay));
-    copy_file(format_src_path(XML_3_wrong), format_dest_path(XML_3_wrong));
-
-    test_exists(format_dest_path(XML_1_okay), true);
-    test_exists(format_dest_path(XML_2_okay), true);
-    test_exists(format_dest_path(XML_3_wrong), true);
-
-    restart_key_manager();
-
-    test_exists(format_dest_path(XML_1_okay), false);
-    test_exists(format_dest_path(XML_2_okay), false);
-    test_exists(format_dest_path(XML_3_wrong), false);
+    const auto files = {XML_1_okay, XML_2_okay, XML_3_wrong};
+    restart_key_manager(files);
+    for (const auto f : files)
+        test_not_exists(f);
 }
 
 RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP)
@@ -269,8 +258,7 @@ RUNNER_TEST_TZ_BACKEND(T7000_Encrypted_initial_values, RemoveDataEnv<0>)
     std::string messageHex = EIV_ENCRYPTED_MESSAGE_HEX;
     std::string iv         = EIV_MESSAGE_ENCRYPTION_IV;
 
-    copy_file(format_src_path(EIV_TEST_XML_FILENAME), format_dest_path(EIV_TEST_XML_FILENAME));
-    restart_key_manager();
+    restart_key_manager({EIV_TEST_XML_FILENAME});
 
     CKM::CryptoAlgorithm algo;
     CKM::RawBuffer messageBin = hexToBin(messageHex);
@@ -285,6 +273,44 @@ RUNNER_TEST_TZ_BACKEND(T7000_Encrypted_initial_values, RemoveDataEnv<0>)
     RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == EIV_PLAIN_MESSAGE, "Data does not match");
 }
 
+RUNNER_TEST_TZ_BACKEND(T7010_Encrypted_initial_values_asymmetric, RemoveDataEnv<0>)
+{
+    restart_key_manager({EIV_TEST_ASYM_XML_FILENAME});
+    constexpr char testDataStr[] = "test-data";
+    const CKM::RawBuffer testData(testDataStr, testDataStr+sizeof(testDataStr)-1);
+    CKM::RawBuffer encrypted, decrypted, signature;
+    CKM::CryptoAlgorithm algoRsa;
+    algoRsa.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::RSA_OAEP);
+
+    auto mgr = CKM::Manager::create();
+    int temp;
+
+    #define MGR(OP, ...) do { RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->OP(__VA_ARGS__)), "Failed to " #OP " " << CKM::APICodeToString(temp)); } while (0)
+
+    const auto rsaCrypt = [&](auto pub, auto prv) {
+        MGR(encrypt, algoRsa, pub, CKM::Password(), testData, encrypted);
+        RUNNER_ASSERT_MSG(testData != encrypted, "Data not encrypted");
+        MGR(decrypt, algoRsa, prv, CKM::Password(), encrypted, decrypted);
+        RUNNER_ASSERT_MSG(testData == decrypted, "Data does not match");
+    };
+
+    rsaCrypt("/System TEI_RSA_PUB", "/System TEI_RSA_PRV");
+    rsaCrypt("/System TEI_RSA_PKCS8_PUB", "/System TEI_RSA_PKCS8_PRV");
+
+    const auto sign = [&](auto prv, auto pub, auto hash, auto pad) {
+        MGR(createSignature, prv, CKM::Password(), testData, hash, pad, signature);
+        MGR(verifySignature, pub, CKM::Password(), testData, signature, hash, pad);
+    };
+
+    constexpr auto rsaHashAlgo = CKM::HashAlgorithm::SHA512;
+    constexpr auto rsaPaddingAlgo = CKM::RSAPaddingAlgorithm::X931;
+    sign("/System TEI_RSA_PRV", "/System TEI_RSA_PUB", rsaHashAlgo, rsaPaddingAlgo);
+    sign("/System TEI_RSA_PKCS8_PRV", "/System TEI_RSA_PKCS8_PUB", rsaHashAlgo, rsaPaddingAlgo);
+    sign("/System TEI_DSA_PRV", "/System TEI_DSA_PUB", CKM::HashAlgorithm::SHA1, CKM::RSAPaddingAlgorithm::NONE);
+
+    #undef MGR
+}
+
 /* TODO
  * - RW/RO location support (files removal, flag handling)
  * - item overwrite