From: Andrei Vakulich Date: Fri, 7 Jun 2024 12:32:25 +0000 (+0200) Subject: Added key and data backend checks to tests X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d700b27bcf7d5e5d837f0efea117f19cb032cd3f;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Added key and data backend checks to tests Checks were added to tests: e2ee-adaptation-layer, key-derivation, key-wrapping, capi-testcases. Change-Id: I4c310c0ee56dcb5d5b8557bbc02c5424efdf6b9f --- diff --git a/src/ckm/ckm-common.cpp b/src/ckm/ckm-common.cpp index 72224673..4830257e 100644 --- a/src/ckm/ckm-common.cpp +++ b/src/ckm/ckm-common.cpp @@ -22,7 +22,6 @@ #include #include #include -#include #include #include #include @@ -35,7 +34,6 @@ #include #include #include -#include #include const std::string SMACK_USER_APP_PREFIX = "User::Pkg::"; @@ -399,28 +397,39 @@ void check_alias_list(const CKM::AliasVector& expected) void check_alias_info_list_helper(const InfoVector& expected, const InfoMap& actual, - const std::string &userSmackLabel) + const std::string &userSmackLabel, + const bool shouldHaveSameSize) { std::string errorLogMsg; - RUNNER_ASSERT_MSG(expected.size() == actual.size(), "Aliases item count differs, expected: " << - expected.size() << " actual: " << actual.size()); + if (shouldHaveSameSize) + { + RUNNER_ASSERT_MSG(expected.size() == actual.size(), + "Aliases item count differs, expected: " << + expected.size() << " actual: " << actual.size()); + } for (const auto &expectedIt : expected) { - auto actualIt = actual.find(userSmackLabel + expectedIt.alias); + const auto expectedAlias = aliasWithLabel(userSmackLabel.empty() ? nullptr : + userSmackLabel.c_str(), + expectedIt.alias.c_str()); + auto actualIt = actual.find(expectedAlias); if (actualIt != actual.end()) { if (actualIt->second.passwordProtected != expectedIt.passwordProtected) { - errorLogMsg += "Alias: " + actualIt->second.alias + " has wrong encryption status: " - + std::to_string(actualIt->second.passwordProtected) + "\n"; + errorLogMsg += "Alias: " + actualIt->second.alias + + " has wrong encryption status: " + + std::to_string(actualIt->second.passwordProtected) + "\n"; } if (actualIt->second.backend != expectedIt.backend) { - errorLogMsg += "Alias: " + actualIt->second.alias + " belongs to wrong backend: " - + std::to_string(static_cast(actualIt->second.backend)) + "\n"; + errorLogMsg += "Alias: " + actualIt->second.alias + + " belongs to wrong backend: " + + std::to_string(static_cast(actualIt->second.backend)) + + "\n"; } } else { - errorLogMsg += "Expected alias: " + actualIt->second.alias + " not found.\n"; + errorLogMsg += "Expected alias: " + expectedAlias + " not found.\n"; } } @@ -431,10 +440,25 @@ void check_alias_info_list_helper(const InfoVector& expected, " status: " + std::to_string(info.passwordProtected) + " backend: " + std::to_string(static_cast(info.backend)) + "\n"; } - RUNNER_FAIL_MSG("Actual list of aliases differ from expected list.\n" + errorLogMsg); + RUNNER_FAIL_MSG(errorLogMsg); } } +CKM::BackendId get_self_key_alias_backend(const std::string& key) +{ + return get_alias_backend(ckmc_get_key_alias_info_list, getOwnerIdFromSelf(), key); +} + +CKM::BackendId get_self_data_alias_backend(const std::string& key) +{ + return get_alias_backend(ckmc_get_data_alias_info_list, getOwnerIdFromSelf(), key); +} + +bool isPasswordProtected(const ckmc_policy_s& policy) +{ + return policy.password != nullptr; +} + CKM::BackendId backend() { #ifdef TZ_BACKEND @@ -444,42 +468,6 @@ CKM::BackendId backend() #endif } -void check_alias_info_list(const InfoVector& expected) -{ - ckmc_alias_info_list_s *aliasInfoList = NULL; - int ret = ckmc_get_data_alias_info_list(&aliasInfoList); - RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get the list of data aliases. " << ret << " / " - << CKMCErrorToString(ret)); - - InfoMap actual; - ckmc_alias_info_list_s *plist = aliasInfoList; - char* alias = nullptr; - bool isPasswordProtected; - unsigned int it = 0; - while (plist) - { - ret = ckmc_alias_info_get_alias(plist->info, &alias); - RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get alias. " << ret << " / " - << CKMCErrorToString(ret)); - RUNNER_ASSERT_MSG(alias != nullptr, "Got null alias. Iterator: " << it); - - ret = ckmc_alias_info_is_password_protected(plist->info, &isPasswordProtected); - RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get password protection status" << ret << " / " - << CKMCErrorToString(ret)); - - ckmc_backend_id_e backend; - ret = ckmc_alias_info_get_backend(plist->info, &backend); - RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get backend" << ret << " / " - << CKMCErrorToString(ret)); - - actual.try_emplace(alias, alias, isPasswordProtected, static_cast(backend)); - plist = plist->next; - it++; - } - ckmc_alias_info_list_all_free(aliasInfoList); - check_alias_info_list_helper(expected, actual); -} - size_t count_aliases(alias_type_ type, size_t minimum_initial_element_count) { ckmc_alias_list_s *aliasList = NULL; diff --git a/src/ckm/ckm-common.h b/src/ckm/ckm-common.h index 05af5b2d..0af4c7d8 100644 --- a/src/ckm/ckm-common.h +++ b/src/ckm/ckm-common.h @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -153,6 +154,11 @@ void reset_user_data(uid_t user_id, const char *passwd); ckmc_raw_buffer_s prepare_message_buffer(const char * input); void check_alias_list(const CKM::AliasVector& expected); +CKM::BackendId get_self_key_alias_backend(const std::string& key); +CKM::BackendId get_self_data_alias_backend(const std::string& key); + +bool isPasswordProtected(const ckmc_policy_s&); + struct Info { Info(const CKM::Alias &alias, bool passwordProtected, @@ -161,6 +167,19 @@ struct Info { passwordProtected(passwordProtected), backend(backend) {} + Info(const CKM::Alias &alias, + const ckmc_policy_s &policy, + const CKM::BackendId backend = CKM::BackendId::SW) : + Info(alias, isPasswordProtected(policy), backend) {} + + Info(const CKM::Alias &alias, + const ckmc_policy_s &policy, + const CKM::Alias &aliasWithSameBackend, + const bool isAliasWithSameBackendKey = true) : + Info(alias, policy, isAliasWithSameBackendKey ? + get_self_key_alias_backend(aliasWithSameBackend) : + get_self_data_alias_backend(aliasWithSameBackend)) {} + CKM::Alias alias; bool passwordProtected; CKM::BackendId backend; @@ -172,8 +191,122 @@ CKM::BackendId backend(); void check_alias_info_list_helper(const InfoVector& expected, const InfoMap& actual, - const std::string &userSmackLabel = {}); -void check_alias_info_list(const InfoVector& expected); + const std::string &userSmackLabel = {}, + const bool shouldHaveSameSize = true); + +template +void check_alias_info_list(Func&& getAliasInfoList, + const InfoVector& expected, + const std::string &userSmackLabel = {}, + const bool shouldHaveSameSize = true) +{ + ckmc_alias_info_list_s *aliasInfoList = nullptr; + int ret = std::forward(getAliasInfoList)(&aliasInfoList); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get the list of data aliases. " + << ret << " / " << CKMCErrorToString(ret)); + std::unique_ptr + remover(aliasInfoList, &ckmc_alias_info_list_all_free); + + InfoMap actual; + ckmc_alias_info_list_s *plist = aliasInfoList; + char* alias = nullptr; + bool isPasswordProtected; + unsigned int it = 0; + while (plist) + { + ret = ckmc_alias_info_get_alias(plist->info, &alias); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get alias. " << ret << " / " + << CKMCErrorToString(ret)); + RUNNER_ASSERT_MSG(alias != nullptr, "Got null alias. Iterator: " << it); + ret = ckmc_alias_info_is_password_protected(plist->info, &isPasswordProtected); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get password protection status" + << ret << " / " << CKMCErrorToString(ret)); + ckmc_backend_id_e backend; + ret = ckmc_alias_info_get_backend(plist->info, &backend); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get backend" << ret << " / " + << CKMCErrorToString(ret)); + + actual.try_emplace(alias, alias, isPasswordProtected, static_cast(backend)); + plist = plist->next; + ++it; + } + + check_alias_info_list_helper(expected, actual, userSmackLabel, shouldHaveSameSize); +} + +template +void check_alias_info_list(Func&& getAliasInfoList, + const std::string &userSmackLabel, + const bool shouldHaveSameSize, + Args&&... args) +{ + InfoVector expected; + expected.reserve(sizeof...(args)); + (expected.emplace_back(std::forward(args)), ...); + check_alias_info_list(std::forward(getAliasInfoList), expected, + userSmackLabel, shouldHaveSameSize); +} + +template +void check_self_key_alias_info_list(const bool shouldHaveSameSize, + Args&&... args) +{ + check_alias_info_list(ckmc_get_key_alias_info_list, + getOwnerIdFromSelf(), + shouldHaveSameSize, + std::forward(args)...); +} + +template +void check_self_data_alias_info_list(const bool shouldHaveSameSize, + Args&&... args) +{ + check_alias_info_list(ckmc_get_data_alias_info_list, + getOwnerIdFromSelf(), + shouldHaveSameSize, + std::forward(args)...); +} + +template +CKM::BackendId get_alias_backend(Func&& getAliasInfoList, + const std::string &userSmackLabel, + const std::string &key) +{ + ckmc_alias_info_list_s *aliasInfoList = nullptr; + int ret = std::forward(getAliasInfoList)(&aliasInfoList); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get the list of data aliases. " + << ret << " / " << CKMCErrorToString(ret)); + std::unique_ptr + remover(aliasInfoList, &ckmc_alias_info_list_all_free); + + ckmc_alias_info_list_s *plist = aliasInfoList; + char* alias = nullptr; + unsigned int it = 0; + const auto expectedAlias = aliasWithLabel(userSmackLabel.empty() ? nullptr : + userSmackLabel.c_str(), key.c_str()); + while (plist) + { + ret = ckmc_alias_info_get_alias(plist->info, &alias); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get alias. " << ret << " / " + << CKMCErrorToString(ret)); + RUNNER_ASSERT_MSG(alias != nullptr, "Got null alias. Iterator: " << it); + + if (expectedAlias == alias) + { + ckmc_backend_id_e backend; + ret = ckmc_alias_info_get_backend(plist->info, &backend); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get backend" << ret << " / " + << CKMCErrorToString(ret)); + + return static_cast(backend); + } + + plist = plist->next; + ++it; + } + + RUNNER_FAIL_MSG("Could not find alias: " << expectedAlias); +} typedef enum { ALIAS_KEY, diff --git a/src/ckm/privileged/system-db.cpp b/src/ckm/privileged/system-db.cpp index 256a97ba..4bda7edd 100644 --- a/src/ckm/privileged/system-db.cpp +++ b/src/ckm/privileged/system-db.cpp @@ -501,7 +501,7 @@ RUNNER_TEST(T5046_CLIENT_GET_ALIAS_STATUS_NO_PASSWORD, RemoveDataEnv<0>) expected.emplace_back(TEST_SYSTEM_ALIAS, false, backend()); expected.emplace_back(TEST_SYSTEM_ALIAS_2, false, backend()); - check_alias_info_list(expected); + check_alias_info_list(ckmc_get_data_alias_info_list, expected); } RUNNER_TEST(T5047_CLIENT_GET_ALIAS_STATUS_PASSWORD_PROTECTED, RemoveDataEnv<0>) @@ -526,5 +526,5 @@ RUNNER_TEST(T5047_CLIENT_GET_ALIAS_STATUS_PASSWORD_PROTECTED, RemoveDataEnv<0>) expected.emplace_back(TEST_SYSTEM_ALIAS_2, true, backend()); expected.emplace_back(TEST_SYSTEM_ALIAS_2 + "1", true, backend()); - check_alias_info_list(expected); + check_alias_info_list(ckmc_get_data_alias_info_list, expected); } diff --git a/src/ckm/unprivileged/capi-testcases.cpp b/src/ckm/unprivileged/capi-testcases.cpp index 6d0a756f..3c69f555 100644 --- a/src/ckm/unprivileged/capi-testcases.cpp +++ b/src/ckm/unprivileged/capi-testcases.cpp @@ -1029,6 +1029,10 @@ RUNNER_TEST(T3053_CAPI_create_DSA_key) CKMC_ERROR_NONE == (temp = ckmc_create_key_pair_dsa(size, private_key_alias, public_key_alias, policy_private_key, policy_public_key)), CKMCReadableError(temp)); + check_self_key_alias_info_list(false, + Info(private_key_alias, policy_private_key), + Info(public_key_alias, policy_public_key)); + size_t actual_cnt = count_aliases(ALIAS_KEY); RUNNER_ASSERT_MSG( (current_aliases_num+2) == actual_cnt, @@ -1145,20 +1149,77 @@ RUNNER_TEST(T3063_CAPI_CreateKeyPairDSA) int temp; size_t size = 1024; - CKM::Alias private_key_alias = "dsa-test-1"; - CKM::Alias public_key_alias = "dsa-test-2"; - ckmc_policy_s policy_private_key; - ckmc_policy_s policy_public_key; - - policy_private_key.password = const_cast("privatepassword"); - policy_private_key.extractable = 0; - - policy_public_key.password = NULL; - policy_public_key.extractable = 1; - - RUNNER_ASSERT_MSG( - CKMC_ERROR_NONE == (temp = ckmc_create_key_pair_dsa(size, private_key_alias.c_str(), public_key_alias.c_str(), policy_private_key, policy_public_key)), - CKMCReadableError(temp)); + CKM::Alias private_key_alias_1 = "private-dsa-test-1"; + CKM::Alias public_key_alias_1 = "public-dsa-test-1"; + ckmc_policy_s policy_private_key_1 = { const_cast("privatepassword"), true }; + ckmc_policy_s policy_public_key_1 = { NULL, true }; + + RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == + (temp = ckmc_create_key_pair_dsa(size, + private_key_alias_1.c_str(), + public_key_alias_1.c_str(), + policy_private_key_1, + policy_public_key_1)), + CKMCReadableError(temp)); + + CKM::Alias private_key_alias_2 = "private-dsa-test-2"; + CKM::Alias public_key_alias_2 = "public-dsa-test-2"; + ckmc_policy_s policy_private_key_2 = { NULL, true }; + ckmc_policy_s policy_public_key_2 = { NULL, false }; + + RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == + (temp = ckmc_create_key_pair_dsa(size, + private_key_alias_2.c_str(), + public_key_alias_2.c_str(), + policy_private_key_2, + policy_public_key_2)), + CKMCReadableError(temp)); + + CKM::Alias private_key_alias_3 = "private-dsa-test-3"; + CKM::Alias public_key_alias_3 = "public-dsa-test-3"; + ckmc_policy_s policy_private_key_3 = { NULL, false }; + ckmc_policy_s policy_public_key_3 = { NULL, true }; + + RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == + (temp = ckmc_create_key_pair_dsa(size, + private_key_alias_3.c_str(), + public_key_alias_3.c_str(), + policy_private_key_3, + policy_public_key_3)), + CKMCReadableError(temp)); + + CKM::Alias private_key_alias_4 = "private-dsa-test-4"; + CKM::Alias public_key_alias_4 = "public-dsa-test-4"; + ckmc_policy_s policy_private_key_4 = { NULL, false }; + ckmc_policy_s policy_public_key_4 = { NULL, false }; + + RUNNER_ASSERT_MSG(CKMC_ERROR_NONE == + (temp = ckmc_create_key_pair_dsa(size, + private_key_alias_4.c_str(), + public_key_alias_4.c_str(), + policy_private_key_4, + policy_public_key_4)), + CKMCReadableError(temp)); + + check_self_key_alias_info_list(false, + Info(private_key_alias_1, + policy_private_key_1), + Info(public_key_alias_1, + policy_public_key_1), + Info(private_key_alias_2, + policy_private_key_2), + Info(public_key_alias_2, + policy_public_key_2), + Info(private_key_alias_3, + policy_private_key_3), + Info(public_key_alias_3, + policy_public_key_3), + Info(private_key_alias_4, + policy_private_key_4, + backend()), + Info(public_key_alias_4, + policy_public_key_4, + backend())); } RUNNER_TEST(T3064_CAPI_CreateKeyPairECDSA) @@ -1876,6 +1937,10 @@ RUNNER_TEST(T3087_CAPI__dsa_int_key_create_verify_with_negative) CKMC_ERROR_NONE == (temp = ckmc_create_key_pair_dsa(size, pri_alias.c_str(), pub_alias.c_str(), policy_private_key, policy_public_key)), "Error=" << temp); + check_self_key_alias_info_list(false, + Info(pri_alias, policy_private_key), + Info(pub_alias, policy_public_key)); + char *pri_passwd = NULL; char *pub_passwd = NULL; ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256; diff --git a/src/ckm/unprivileged/key-derivation.cpp b/src/ckm/unprivileged/key-derivation.cpp index a5cab2f7..18140aaa 100644 --- a/src/ckm/unprivileged/key-derivation.cpp +++ b/src/ckm/unprivileged/key-derivation.cpp @@ -42,6 +42,8 @@ const KeyAliasPair RSA = { "rsa_private", "rsa_public" }; const KeyAliasPair RSA_EXPORTABLE = { "rsa_private_exp", "rsa_public_exp" }; const std::string DERIVED = "derived"; const std::string DERIVED2 = "derived2"; +const std::string DERIVED3 = "derived3"; +const std::string DERIVED4 = "derived4"; const std::string SECRET = "secret"; const ckmc_policy_s UNEXPORTABLE { nullptr, false }; @@ -134,6 +136,20 @@ public: RSA_EXPORTABLE.pub.c_str(), EXPORTABLE, EXPORTABLE); + + check_self_key_alias_info_list(true, + Info(OURS.prv, UNEXPORTABLE, backend()), + Info(OURS.pub, EXPORTABLE, backend()), + Info(PEERS.prv, UNEXPORTABLE_PW, backend()), + Info(PEERS.pub, EXPORTABLE, backend()), + Info(PEERS2.prv, EXPORTABLE), + Info(PEERS2.pub, EXPORTABLE), + Info(WRONG.prv, UNEXPORTABLE, backend()), + Info(WRONG.pub, EXPORTABLE, backend()), + Info(RSA.prv, UNEXPORTABLE, backend()), + Info(RSA.pub, EXPORTABLE, backend()), + Info(RSA_EXPORTABLE.prv, EXPORTABLE), + Info(RSA_EXPORTABLE.pub, EXPORTABLE)); } void Finish() override @@ -166,6 +182,8 @@ struct DerivedFixture { ckmc_remove_alias(DERIVED.c_str()); ckmc_remove_alias(DERIVED2.c_str()); + ckmc_remove_alias(DERIVED3.c_str()); + ckmc_remove_alias(DERIVED4.c_str()); } }; @@ -219,7 +237,7 @@ RawBufferPtr deriveEcdhAndGet(const std::string& prvAlias, ckmc_raw_buffer_s *derivedBuffer = nullptr; assert_positive(ckmc_get_data, derivedAlias.c_str(), derivedPolicy.password, &derivedBuffer); - ckmc_remove_alias(derivedAlias.c_str()); + check_self_data_alias_info_list(false, Info(derivedAlias, derivedPolicy, prvAlias)); return create_raw_buffer(derivedBuffer); } @@ -310,6 +328,8 @@ private: "", DERIVED.c_str(), UNEXPORTABLE); + + check_self_key_alias_info_list(false, Info(DERIVED, UNEXPORTABLE, SECRET, false)); #else assert_positive(ckmc_key_derive, derive.get(), @@ -318,6 +338,8 @@ private: DERIVED.c_str(), EXPORTABLE); + check_self_key_alias_info_list(false, Info(DERIVED, EXPORTABLE, SECRET, false)); + ckmc_key_s *derived = nullptr; assert_positive(ckmc_get_key, DERIVED.c_str(), "", &derived); size_t derived_size = derived->key_size; @@ -382,13 +404,17 @@ RUNNER_TEST_GROUP_INIT_ENV(CKM_DERIVE_ECDH, EcdhGroupFixture); RUNNER_TEST(TECDH_0010_positive, DerivedFixture) { auto ourDerived = deriveEcdhAndGet(OURS.prv, "", PEERS.pub, DERIVED, EXPORTABLE); - auto peerDerived = deriveEcdhAndGet(PEERS.prv, PASSWORD, OURS.pub, DERIVED, EXPORTABLE_PW); + auto peerDerived = deriveEcdhAndGet(PEERS.prv, PASSWORD, OURS.pub, DERIVED2, EXPORTABLE_PW); assert_buffers_equal(ourDerived.get(), peerDerived.get()); - auto wrongDerived = deriveEcdhAndGet(OURS.prv, "", PEERS2.pub, DERIVED, EXPORTABLE); + auto wrongDerived = deriveEcdhAndGet(OURS.prv, "", PEERS2.pub, DERIVED3, EXPORTABLE); assert_buffers_equal(ourDerived.get(), wrongDerived.get(), false); + + auto peer2Derived = deriveEcdhAndGet(PEERS2.prv, "", OURS.pub, DERIVED4, EXPORTABLE); + + assert_buffers_equal(wrongDerived.get(), peer2Derived.get()); } RUNNER_TEST(TECDH_0020_missing_arguments, DerivedFixture) @@ -448,6 +474,8 @@ RUNNER_TEST(TECDH_0040_alias_exists, DerivedFixture) "", DERIVED.c_str(), EXPORTABLE); + + check_self_data_alias_info_list(true, Info(DERIVED, EXPORTABLE, OURS.prv)); } RUNNER_TEST(TECDH_0050_derived_password, DerivedFixture) @@ -461,6 +489,8 @@ RUNNER_TEST(TECDH_0050_derived_password, DerivedFixture) DERIVED.c_str(), EXPORTABLE_PW); + check_self_data_alias_info_list(true, Info(DERIVED, EXPORTABLE_PW, OURS.prv)); + ckmc_raw_buffer_s *derived = nullptr; assert_result(CKMC_ERROR_AUTHENTICATION_FAILED, ckmc_get_data, DERIVED.c_str(), "", &derived); assert_result(CKMC_ERROR_AUTHENTICATION_FAILED, ckmc_get_data, DERIVED.c_str(), "pw", &derived); @@ -474,6 +504,8 @@ RUNNER_TEST(TECDH_0050_derived_password, DerivedFixture) DERIVED.c_str(), EXPORTABLE); + check_self_data_alias_info_list(true, Info(DERIVED, EXPORTABLE, OURS.prv)); + assert_result(CKMC_ERROR_AUTHENTICATION_FAILED, ckmc_get_data, DERIVED.c_str(), "pw", &derived); assert_result( CKMC_ERROR_AUTHENTICATION_FAILED, ckmc_get_data, DERIVED.c_str(), PASSWORD, &derived); @@ -490,6 +522,8 @@ RUNNER_TEST(TECDH_0050_derived_unexportable, DerivedFixture) DERIVED.c_str(), UNEXPORTABLE); + check_self_data_alias_info_list(true, Info(DERIVED, UNEXPORTABLE, OURS.prv)); + ckmc_raw_buffer_s *derived = nullptr; assert_result(CKMC_ERROR_NOT_EXPORTABLE, ckmc_get_data, DERIVED.c_str(), "", &derived); } @@ -571,6 +605,8 @@ public: ckmc_raw_buffer_s* secret = createRandomBufferCAPI(32); assert_positive(ckmc_save_data, SECRET.c_str(), *secret, UNEXPORTABLE); + + check_self_data_alias_info_list(true, Info(SECRET, UNEXPORTABLE, backend())); } void Finish() override @@ -643,6 +679,11 @@ RUNNER_TEST(TKBKDF_0020_derive_from_derived, DerivedFixture) DERIVED2.c_str(), UNEXPORTABLE); + const auto backend = get_self_data_alias_backend(SECRET); + check_self_key_alias_info_list(true, + Info(DERIVED, UNEXPORTABLE, backend), + Info(DERIVED2, UNEXPORTABLE, backend)); + const RawBufferPtr randomData = create_raw_buffer(createRandomBufferCAPI(16)); ckmc_raw_buffer_s *encrypted = nullptr; ckmc_raw_buffer_s *decrypted = nullptr; @@ -702,6 +743,8 @@ RUNNER_TEST(TKBKDF_0050_alias_exists, DerivedFixture) DERIVED.c_str(), UNEXPORTABLE); + check_self_key_alias_info_list(true, Info(DERIVED, UNEXPORTABLE, SECRET, false)); + assert_result(CKMC_ERROR_DB_ALIAS_EXISTS, ckmc_key_derive, kbkdfParams.get(), @@ -728,6 +771,11 @@ RUNNER_TEST(TKBKDF_0060_derived_password, DerivedFixture) DERIVED2.c_str(), UNEXPORTABLE); + const auto backend = get_self_data_alias_backend(SECRET); + check_self_key_alias_info_list(true, + Info(DERIVED, UNEXPORTABLE_PW, backend), + Info(DERIVED2, UNEXPORTABLE, backend)); + const RawBufferPtr randomData = create_raw_buffer(createRandomBufferCAPI(16)); ckmc_raw_buffer_s *encrypted = nullptr; ckmc_raw_buffer_s *decrypted = nullptr; @@ -779,6 +827,8 @@ RUNNER_TEST(TKBKDF_0070_unexportable, DerivedFixture) DERIVED.c_str(), UNEXPORTABLE); + check_self_key_alias_info_list(true, Info(DERIVED, UNEXPORTABLE, SECRET, false)); + ckmc_key_s *derived = nullptr; assert_result(CKMC_ERROR_NOT_EXPORTABLE, ckmc_get_key, DERIVED.c_str(), "", &derived); } diff --git a/src/ckm/unprivileged/key-wrapping.cpp b/src/ckm/unprivileged/key-wrapping.cpp index a8016574..df976447 100644 --- a/src/ckm/unprivileged/key-wrapping.cpp +++ b/src/ckm/unprivileged/key-wrapping.cpp @@ -159,6 +159,9 @@ public: RSA_KEY_4096_PUB_ALIAS.c_str(), UNEXPORTABLE, EXPORTABLE); + check_self_key_alias_info_list(false, + Info(RSA_KEY_4096_PRV_ALIAS, UNEXPORTABLE, backend()), + Info(RSA_KEY_4096_PUB_ALIAS, EXPORTABLE, backend())); #endif assert_positive(ckmc_create_key_aes, 128, AES_KEY_128_ALIAS.c_str(), UNEXPORTABLE); assert_positive(ckmc_create_key_aes, 192, AES_KEY_192_ALIAS.c_str(), UNEXPORTABLE); @@ -168,9 +171,25 @@ public: assert_positive(ckmc_create_key_aes, 128, AES_KEY_UNEXP_ALIAS.c_str(), UNEXPORTABLE); assert_positive(ckmc_create_key_aes, 128, AES_KEY_UNEXP_PASS_ALIAS.c_str(), UNEXPORTABLE_PASS); + check_self_key_alias_info_list(false, + Info(RSA_KEY_1024_PRV_ALIAS, UNEXPORTABLE, backend()), + Info(RSA_KEY_1024_PUB_ALIAS, EXPORTABLE, backend()), + Info(RSA_KEY_2048_PRV_ALIAS, UNEXPORTABLE, backend()), + Info(RSA_KEY_2048_PUB_ALIAS, EXPORTABLE, backend()), + Info(RSA_KEY_3072_PRV_ALIAS, UNEXPORTABLE, backend()), + Info(RSA_KEY_3072_PUB_ALIAS, EXPORTABLE, backend()), + Info(AES_KEY_128_ALIAS, UNEXPORTABLE, backend()), + Info(AES_KEY_192_ALIAS, UNEXPORTABLE, backend()), + Info(AES_KEY_256_ALIAS, UNEXPORTABLE, backend()), + Info(AES_KEY_128_PASS_ALIAS, UNEXPORTABLE_PASS, backend()), + Info(AES_KEY_UNEXP_ALIAS, UNEXPORTABLE, backend()), + Info(AES_KEY_UNEXP_PASS_ALIAS, UNEXPORTABLE_PASS, + backend())); + importKey(AES_CTR_ALGO, 16, AES_KEY_128_ALIAS, nullptr, IMP_AES_CTR, UNEXPORTABLE); importKey(AES_CTR_ALGO, 16, AES_KEY_128_ALIAS, nullptr, IMP_AES_CTR_PASS, UNEXPORTABLE_PASS); } + void Finish() override { int ret = ckmc_lock_user_key(UID); if (ret != CKMC_ERROR_NONE) @@ -311,6 +330,9 @@ RawBufferPtr encryptAndImport(const ParamListPtr ¶ms, aesKey, importedKeyPolicy); + check_self_key_alias_info_list(false, + Info(importedKeyAlias, importedKeyPolicy, unwrappingKeyAlias)); + ckmc_buffer_free(encrypted); ckmc_key_free(aesKey); return plainData; @@ -364,6 +386,7 @@ void testInvalidAlgoParameters(const ParamListPtr &invalidParams, const Algo &al ckmc_buffer_free(encrypted); ckmc_key_free(aesKey); } + void testImportInvalidBuffLen(const Algo &algo, int buffLen, const Alias &wrappingKeyAlias, @@ -429,6 +452,8 @@ void assert_aes_key_value(const Alias &keyAlias, const char* keyPass, RawBufferP *aesKey, UNEXPORTABLE); + check_self_key_alias_info_list(false, Info(SAVED_ALIAS, UNEXPORTABLE, backend())); + assert_positive(ckmc_encrypt_data, encParams.get(), SAVED_ALIAS.c_str(), @@ -482,6 +507,8 @@ void testImportValidArgs(const Algo &algo, aesKey, UNEXPORTABLE); + check_self_key_alias_info_list(false, Info(IMPORTED_ALIAS, UNEXPORTABLE, unwrappingKeyAlias)); + ckmc_buffer_free(encrypted); ckmc_key_free(aesKey); @@ -531,7 +558,7 @@ void testExportableImported(const Algo &algo, nullptr, &aesKey); - // can't import exportable key into into TZ backend + // can't import exportable key into TZ backend assert_invalid_param(ckmc_import_wrapped_key, params.get(), wrappingKeyAlias.c_str(), @@ -606,6 +633,9 @@ void importKey(const Algo &algo, aesKey, importedKeyPolicy); + check_self_key_alias_info_list(false, + Info(importedKeyAlias, importedKeyPolicy, wrappingKeyAlias)); + ckmc_buffer_free(encrypted); ckmc_key_free(aesKey); } @@ -887,6 +917,8 @@ void testWrapUnwrapKeys( UNEXPORTABLE, &dataImp); + check_self_key_alias_info_list(false, Info("AES_KEY_IMP", UNEXPORTABLE, prvAlias)); + assert_buffers_equal(data, dataImp); params = getDefaultParams(AES_CBC_ALGO); @@ -916,6 +948,8 @@ void testWrapUnwrapKeys( keyPolicy, &dataImp); + check_self_key_alias_info_list(false, Info("AES_KEY_IMP", keyPolicy, prvAlias)); + assert_positive(ckmc_get_key, aliasAES.c_str(), keyPolicy.password, &aesKey); assert_positive(ckmc_get_key, "AES_KEY_IMP", keyPolicy.password, &aesKeyImp); @@ -1003,6 +1037,13 @@ void testImportExportAesBetweenTzSwBackends(const Algo &wrapAlgo, pTmpKey1, EXPORTABLE); + check_self_key_alias_info_list(false, + Info(targetKeyAlias0, EXPORTABLE), + Info(targetKeyAlias1, UNEXPORTABLE, wrappingKeyUnexpAlias), + Info(targetKeyAlias2, EXPORTABLE, wrappingKeyExpAlias), + Info(wrappingKeyExpAlias, EXPORTABLE), + Info(wrappingKeyUnexpAlias, UNEXPORTABLE, backend())); + // 6. Check key values assert_aes_key_value(targetKeyAlias0.c_str(), nullptr, targetKeyValue); assert_aes_key_value(targetKeyAlias1.c_str(), nullptr, targetKeyValue); @@ -1531,6 +1572,10 @@ RUNNER_TEST(TKW_EXPORT_WRONG_TYPE_WRAPPING_KEY) { UNEXPORTABLE, EXPORTABLE); + check_self_key_alias_info_list(false, + Info("ECDSA-prv", UNEXPORTABLE, backend()), + Info("ECDSA-pub", EXPORTABLE, backend())); + assert_invalid_param(ckmc_export_wrapped_key, params.get(), "ECDSA-prv", @@ -1805,6 +1850,12 @@ RUNNER_TEST(TKW_RSA_WRAPPED_KEY) { // TZ assert_positive(ckmc_create_key_pair_rsa, 1024, "RPV2", "RPB2", UNEXPORTABLE, EXPORTABLE); + check_self_key_alias_info_list(false, + Info("RPV", EXPORTABLE), + Info("RPB", EXPORTABLE), + Info("RPV2", UNEXPORTABLE, backend()), + Info("RPB2", EXPORTABLE, backend())); + ckmc_raw_buffer_s *encrypted = nullptr; ckmc_raw_buffer_s *rsaKeyData = nullptr; diff --git a/src/ckm/unprivileged/main.cpp b/src/ckm/unprivileged/main.cpp index 20ce8431..88e8afe7 100644 --- a/src/ckm/unprivileged/main.cpp +++ b/src/ckm/unprivileged/main.cpp @@ -489,7 +489,7 @@ RUNNER_TEST(T1024_app_user_save_keys_get_alias_pwd) actual.try_emplace(info.alias, info.alias, status, info.backend); } - check_alias_info_list_helper(expected, actual, "/User "); + check_alias_info_list_helper(expected, actual, getOwnerIdFromSelf()); remove_user_data(OWNER_USER_ID); } @@ -536,7 +536,7 @@ RUNNER_TEST(T1025_app_user_save_certificates_get_alias_pwd) actual.try_emplace(info.alias, info.alias, status, info.backend); } - check_alias_info_list_helper(expected, actual, "/User "); + check_alias_info_list_helper(expected, actual, getOwnerIdFromSelf()); remove_user_data(OWNER_USER_ID); } @@ -584,7 +584,7 @@ RUNNER_TEST(T1026_app_user_save_data_get_alias_pwd) actual.try_emplace(info.alias, info.alias, status, info.backend); } - check_alias_info_list_helper(expected, actual, "/User "); + check_alias_info_list_helper(expected, actual, getOwnerIdFromSelf()); remove_user_data(OWNER_USER_ID); } diff --git a/src/ckm/unprivileged/sign-verify.cpp b/src/ckm/unprivileged/sign-verify.cpp index a74d5789..693a8af1 100644 --- a/src/ckm/unprivileged/sign-verify.cpp +++ b/src/ckm/unprivileged/sign-verify.cpp @@ -161,7 +161,7 @@ public: for (int i = 0; i < KEY_IDX_MAX; i++) { Policy prvPolicy(Password(), false, m_backend); - Policy pubPolicy(Password(), true, m_backend); + Policy pubPolicy(Password(), type != DSA, m_backend); if (i == PASSWORD_PROTECTED) { prvPolicy.password.assign(PASSWORD); pubPolicy.password.assign(PASSWORD); diff --git a/src/e2ee-adaptation-layer/tests.cpp b/src/e2ee-adaptation-layer/tests.cpp index c93f06a8..f48a83a7 100644 --- a/src/e2ee-adaptation-layer/tests.cpp +++ b/src/e2ee-adaptation-layer/tests.cpp @@ -85,6 +85,18 @@ public: RSA_KEYS.pub.c_str(), UNEXPORTABLE, EXPORTABLE); + + check_self_key_alias_info_list(true, + Info(OURS.prv, UNEXPORTABLE, backend()), + Info(OURS.pub, EXPORTABLE, backend()), + Info(PEERS.prv, EXPORTABLE), + Info(PEERS.pub, EXPORTABLE), + Info(PEERS2.prv, EXPORTABLE), + Info(PEERS2.pub, EXPORTABLE), + Info(WRONG.prv, UNEXPORTABLE, backend()), + Info(WRONG.pub, EXPORTABLE, backend()), + Info(RSA_KEYS.prv, UNEXPORTABLE, backend()), + Info(RSA_KEYS.pub, EXPORTABLE, backend())); } void Finish() override @@ -125,6 +137,8 @@ AliasRemover keyAgreement(const std::string &prv, const std::string& pub, const auto pub_key = getKey(pub); assert_positive(ckmew_key_agreement, prv.c_str(), pub_key->raw_key, pub_key->key_size, derived); + check_self_key_alias_info_list(false, Info(derived, UNEXPORTABLE, prv)); + return AliasRemover(derived); } @@ -212,6 +226,8 @@ RUNNER_TEST(TEAL_0030_key_agreement_wrong_aliases) pub_key->key_size, DERIVED); + check_self_key_alias_info_list(false, Info(DERIVED, UNEXPORTABLE, OURS.prv)); + AliasRemover remover(DERIVED); assert_result(CKMC_ERROR_DB_ALIAS_EXISTS, @@ -235,6 +251,7 @@ RUNNER_TEST(TEAL_1000_pbkdf_positive) setParam(params, CKMC_PARAM_ED_IV, iv.get()); assert_positive(ckmew_key_derive_pbkdf2, "password", salt->data, salt->size, KEY_LEN, DERIVED); + check_self_key_alias_info_list(false, Info(DERIVED, UNEXPORTABLE, backend())); auto remover1 = AliasRemover(DERIVED); ckmc_raw_buffer_s* encrypted = nullptr; @@ -248,6 +265,7 @@ RUNNER_TEST(TEAL_1000_pbkdf_positive) { const char* const DERIVED2 = "derived2"; assert_positive(ckmew_key_derive_pbkdf2, password, salt, salt_len, key_len, DERIVED2); + check_self_key_alias_info_list(false, Info(DERIVED2, UNEXPORTABLE, backend())); auto remover = AliasRemover(DERIVED2); ckmc_raw_buffer_s* decrypted = nullptr; @@ -304,6 +322,8 @@ RUNNER_TEST(TEAL_1020_pbkdf_wrong_alias) { assert_positive(ckmew_key_derive_pbkdf2, "password", SALT, SALT_LEN, 32, DERIVED); + check_self_key_alias_info_list(false, Info(DERIVED, UNEXPORTABLE, backend())); + auto remover = AliasRemover(DERIVED); assert_result(CKMC_ERROR_DB_ALIAS_EXISTS,