From: Krzysztof Jackiewicz Date: Mon, 14 Aug 2023 14:31:57 +0000 (+0200) Subject: Apply VD test modifications X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e1a6c70a7c1e413e818f65d1b03c6a141cd76032;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Apply VD test modifications * Add EC public key export tests. * Add EC key/cert import tests. * Add TZ_EC_IMPORT build flag. EC import is not required by E2EE but is implemented in VD backend. Tests importing EC keys are disabled by default. * Use ckmc_backend_get_max_chunk_size to obtain the maximum "big data" size supported by the backend. * Update and add DSA import/signature/verification tests. * Don't use GCM IV longer than 63B as VD's backend does not support them. * Make keys unexportable where needed so that TZ backend is used whenever possible. * Compare unexportable keys by comparing encryption results. * Limit the amount of code applicable to SW backend only. * Don't expect CBC import (decryption) to fail always when wrong key is used. It may indeed fail if the padding is broken but it doesn't have to be the case. * Add comments explaining the source of failure on tizen.org's backend implementation. Change-Id: Ie98915ff1010af67ba9c44e8727813fa895c1979 --- diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec index 0b398af5..2ea4cccb 100644 --- a/packaging/security-tests.spec +++ b/packaging/security-tests.spec @@ -45,6 +45,7 @@ Requires: toybox-symlinks-ping %global ckm_test_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE/ckm-test/}%{!?TZ_SYS_SHARE:/usr/share/ckm-test/} %global ckm_rw_data_dir %{?TZ_SYS_DATA:%TZ_SYS_DATA/ckm/}%{!?TZ_SYS_DATA:/opt/data/ckm/} %global tz_backend_enabled %{?tz_backend:%tz_backend}%{!?tz_backend:OFF} +%global tz_ec_import_enabled %{?tz_ec_import:%tz_ec_import}%{!?tz_ec_import:OFF} %global sm_test_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE/security-manager-test}%{!?TZ_SYS_SHARE:/usr/share/security-manager-test} %description @@ -62,6 +63,9 @@ cmake . -DCMAKE_INSTALL_PREFIX=%{_prefix} \ %endif %if %{tz_backend_enabled} == ON -DTZ_BACKEND="ON" \ +%if %{tz_ec_import_enabled} == ON + -DTZ_EC_IMPORT="ON" \ +%endif %endif -DDPL_LOG="ON" \ -DDPL_WITH_DLOG="ON" \ diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 743513f6..2a9368fd 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -33,8 +33,12 @@ ENDIF(DPL_WITH_DLOG) ADD_DEFINITIONS(${SYS_FRAMEWORK_TEST_OTHER_CFLAGS}) OPTION("TZ_BACKEND" OFF) +OPTION("TZ_EC_IMPORT" OFF) IF(TZ_BACKEND) ADD_DEFINITIONS("-DTZ_BACKEND") + IF(TZ_EC_IMPORT) + ADD_DEFINITIONS("-DTZ_EC_IMPORT") + ENDIF(TZ_EC_IMPORT) ENDIF(TZ_BACKEND) include(framework/config.cmake) diff --git a/src/ckm/unprivileged/capi-testcases.cpp b/src/ckm/unprivileged/capi-testcases.cpp index f8e08038..7cd9e7f5 100644 --- a/src/ckm/unprivileged/capi-testcases.cpp +++ b/src/ckm/unprivileged/capi-testcases.cpp @@ -747,20 +747,30 @@ RUNNER_TEST(T3044_remove_bin_data_C_API) RUNNER_TEST(T3045_save_big_data_C_API, RemoveDataEnv) { - // We don't know which backend will be used - const size_t BIG_SIZE = 100000; + ckmc_backend_info_h info; + size_t big_size = 100000; +#if TZ_BACKEND + ckmc_backend_id_e backend = CKMC_BACKEND_TZ; +#else + ckmc_backend_id_e backend = CKMC_BACKEND_SW; +#endif + assert_positive(ckmc_get_backend_info, backend, &info); + assert_positive(ckmc_backend_get_max_chunk_size, info, &big_size); - std::vector big_data(BIG_SIZE); + if (big_size == 0) + big_size = 100000; + + std::vector big_data(big_size); std::ifstream is("/dev/urandom", std::ifstream::binary); if(is) - is.read(big_data.data(), BIG_SIZE); + is.read(big_data.data(), big_size); RUNNER_ASSERT_MSG(is, - "Only " << is.gcount() << "/" << BIG_SIZE << " bytes read from /dev/urandom"); + "Only " << is.gcount() << "/" << big_size << " bytes read from /dev/urandom"); - save_data(TEST_OBJECT1, big_data.data(), BIG_SIZE, CKMC_ERROR_NONE); + save_data(TEST_OBJECT1, big_data.data(), big_size, CKMC_ERROR_NONE); auto self_label = getOwnerIdFromSelf(); - check_read(TEST_OBJECT1, self_label.c_str(), big_data.data(), BIG_SIZE, CKMC_ERROR_NONE); + check_read(TEST_OBJECT1, self_label.c_str(), big_data.data(), big_size, CKMC_ERROR_NONE); } RUNNER_TEST(T3046_save_get_password_protected_data) @@ -816,6 +826,88 @@ RUNNER_TEST(T3046_save_get_password_protected_data) CKMC_ERROR_NONE == (temp = ckmc_remove_alias(alias)), CKMCReadableError(temp)); } +RUNNER_TEST(T3047_get_public_key_from_TZ) +{ + const char *private_key_alias = "ECDSA-test-priv"; + const char *public_key_alias = "ECDSA-test-pub"; + ckmc_policy_s policy_private_key; + ckmc_policy_s policy_public_key; + ckmc_key_s *test_key2 = NULL; + ckmc_key_s *test_key3 = NULL; + policy_private_key.password = NULL; + policy_private_key.extractable = false; + policy_public_key.password = NULL; + policy_public_key.extractable = true; + + //Testing getting exportable public key without password + assert_positive(ckmc_create_key_pair_ecdsa, + CKMC_EC_PRIME192V1, + private_key_alias, + public_key_alias, + policy_private_key, + policy_public_key); + + assert_positive(ckmc_get_key, public_key_alias, nullptr, &test_key2); + + assert_result(CKMC_ERROR_NOT_EXPORTABLE, + ckmc_get_key, + private_key_alias, + nullptr, + &test_key3); + + ckmc_remove_alias(public_key_alias); + ckmc_remove_alias(private_key_alias); + + ckmc_key_free(test_key2); + test_key2 = NULL; + ckmc_key_free(test_key3); + test_key3 = NULL; + + //Testing getting exportable public key with password + const char *password = "password"; + policy_public_key.password = const_cast(password); + policy_public_key.extractable = true; + + assert_positive(ckmc_create_key_pair_ecdsa, + CKMC_EC_PRIME192V1, + private_key_alias, + public_key_alias, + policy_private_key, + policy_public_key); + + assert_positive(ckmc_get_key, public_key_alias, policy_public_key.password, &test_key2); + + assert_result(CKMC_ERROR_NOT_EXPORTABLE, ckmc_get_key, private_key_alias, nullptr, &test_key3); + + ckmc_remove_alias(public_key_alias); + ckmc_remove_alias(private_key_alias); + + ckmc_key_free(test_key2); + test_key2 = NULL; + ckmc_key_free(test_key3); + test_key3 = NULL; + + //Testing getting non-exportable public key + policy_public_key.password = NULL; + policy_public_key.extractable = false; + + assert_positive(ckmc_create_key_pair_ecdsa, + CKMC_EC_PRIME192V1, + private_key_alias, + public_key_alias, + policy_private_key, + policy_private_key); + + assert_result(CKMC_ERROR_NOT_EXPORTABLE, ckmc_get_key, public_key_alias, nullptr, &test_key3); + + ckmc_remove_alias(public_key_alias); + ckmc_remove_alias(private_key_alias); + + ckmc_key_free(test_key2); + test_key2 = NULL; + ckmc_key_free(test_key3); + test_key3 = NULL; +} RUNNER_TEST(T3050_deinit_C_API) { @@ -1421,99 +1513,6 @@ RUNNER_TEST(T3083b_CAPI__rsa_key_create_verify_hash_and_padding) ckmc_buffer_free(signature); } - -RUNNER_TEST(T3084_CAPI__ec_key_create_verify) -{ - int temp; - - std::string prv = "-----BEGIN EC PRIVATE KEY-----\n" - "MHQCAQEEIJNud6U4h8EM1rASn4W5vQOJELTaVPQTUiESaBULvQUVoAcGBSuBBAAK\n" - "oUQDQgAEL1R+hgjiFrdjbUKRNOxUG8ze9nveD9zT05YHeT7vK0w08AUL1HCH5nFV\n" - "ljePBYSxe6CybFiseayaxRxjA+iF1g==\n" - "-----END EC PRIVATE KEY-----\n"; - - std::string pub = "-----BEGIN PUBLIC KEY-----\n" - "MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEL1R+hgjiFrdjbUKRNOxUG8ze9nveD9zT\n" - "05YHeT7vK0w08AUL1HCH5nFVljePBYSxe6CybFiseayaxRxjA+iF1g==\n" - "-----END PUBLIC KEY-----\n"; - - ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test"); - CKM::Alias pri_alias = "ecprv2"; - CKM::Alias pub_alias = "ecpub2"; - char *key_passwd = NULL; - char *pri_passwd = NULL; - char *pub_passwd = NULL; - ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256; - ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING; - ckmc_raw_buffer_s *signature; - - ckmc_key_s pubkey; - pubkey.raw_key = reinterpret_cast(pub.data()); - pubkey.key_size = pub.size(); - pubkey.key_type = CKMC_KEY_NONE; - pubkey.password = NULL; - - ckmc_policy_s pubpolicy; - pubpolicy.password = pub_passwd; - pubpolicy.extractable = 1; - - ckmc_key_s prikey; - prikey.raw_key = reinterpret_cast(prv.data()); - prikey.key_size = prv.size(); - prikey.key_type = CKMC_KEY_NONE; - prikey.password = key_passwd; - - ckmc_policy_s pripolicy; - - pripolicy.password = pri_passwd; - -#ifdef TZ_BACKEND // TZ backend does not support EC key import - pripolicy.extractable = 1; -#else - pripolicy.extractable = 0; -#endif - - RUNNER_ASSERT_MSG( - CKMC_ERROR_NONE == (temp = ckmc_save_key(pub_alias.c_str(), pubkey, pubpolicy)), - CKMCReadableError(temp)); - RUNNER_ASSERT_MSG( - CKMC_ERROR_NONE == (temp = ckmc_save_key(pri_alias.c_str(), prikey, pripolicy)), - CKMCReadableError(temp)); - - RUNNER_ASSERT_MSG( - CKMC_ERROR_NONE == (temp = ckmc_create_signature( - pri_alias.c_str(), - pri_passwd, - msg_buff, - hash_algo, - pad_algo, - &signature)), - CKMCReadableError(temp)); - - RUNNER_ASSERT_MSG( - CKMC_ERROR_NONE == (temp = ckmc_verify_signature( - pub_alias.c_str(), - pub_passwd, - msg_buff, - *signature, - hash_algo, - pad_algo)), - CKMCReadableError(temp)); - - RUNNER_ASSERT_MSG(signature->size > 6, "Signature is too small"); - memcpy((void*)signature->data, "BROKEN", 6); - - RUNNER_ASSERT_MSG( - CKMC_ERROR_VERIFICATION_FAILED == (temp = ckmc_verify_signature( - pub_alias.c_str(), - pub_passwd, - msg_buff, - *signature, - hash_algo, - pad_algo)), - CKMCReadableError(temp)); -} - RUNNER_TEST(T3085_CAPI__rsa_cert_create_verify_signature) { int temp; @@ -1686,6 +1685,7 @@ RUNNER_TEST(T3086_CAPI__dsa_ext_key_create_verify_with_negative) prikey.key_type = CKMC_KEY_NONE; prikey.password = NULL; + AliasRemover removers[] = {pri_alias.c_str(), pub_alias.c_str()}; RUNNER_ASSERT_MSG( CKMC_ERROR_NONE == (temp = ckmc_save_key(pri_alias.c_str(), prikey, pripolicy)), @@ -1714,8 +1714,111 @@ RUNNER_TEST(T3086_CAPI__dsa_ext_key_create_verify_with_negative) *signature, hash_algo, pad_algo)), + CKMCReadableError(temp)); // DSA verification is broken in tef-simulator + + // negative test + ckmc_raw_buffer_s invalid_msg_buff = prepare_message_buffer("invalid message test"); + RUNNER_ASSERT_MSG( + CKMC_ERROR_VERIFICATION_FAILED == (temp = ckmc_verify_signature( + pub_alias.c_str(), + pub_passwd, + invalid_msg_buff, + *signature, + hash_algo, + pad_algo)), CKMCReadableError(temp)); + ckmc_buffer_free(signature); +} + +RUNNER_TEST(T3086_CAPI__dsa_ext_priv_key_create_verify_with_negative) +{ + int temp; + + std::string pub = "-----BEGIN PUBLIC KEY-----\n" + "MIIBtzCCASwGByqGSM44BAEwggEfAoGBALeveaD/EheW+ws1YuW77f344+brkEzm\n" + "BVfFYHr7t+jwu6nQe341SoESJG+PCgrrhy76KNDCfveiwEoWufVHnI4bYBU/ClzP\n" + "A3amf6c5yud45ZR/b6OiAuew6ohY0mQGnzqeio8BaCsZaJ6EziCSlkdIDJisSfPg\n" + "nlWHqf4AwHVdAhUA7I1JQ7sBFJ+N19w3Omu+aO8EG08CgYEAldagy/Ccxhh43cZu\n" + "AZQxgJLCcp1jg6NdPMdkZ2TcSijvaVxBu+gjEGOqN5Os2V6UF7S/k/rjHYmcX9ux\n" + "gpjkC31yTNrKyERIAFIYZtG2K7LVBUZq5Fgm7I83QBVchJ2PA7mBaugJFEhNjbhK\n" + "NRip5UH38le1YDZ/IiA+svFOpeoDgYQAAoGAPT91aEgwFdulzmHlvr3k+GBCE9z+\n" + "hq0c3FGUCtGbVOqg2KPqMBgwSb4MC0msQys4DTVZhLJI+C5eIPEHgfBMqY1ZNJdO\n" + "OSCQciDXnRfSqKbT6tjDTgR5jmh5bG1Q8QFeBTHCDsQHoQYWgx0nyu12lASN80rC\n" + "YMYCBhubtrVaLmc=\n" + "-----END PUBLIC KEY-----"; + + std::string priv = "-----BEGIN DSA PRIVATE KEY-----\n" + "MIIBvAIBAAKBgQC3r3mg/xIXlvsLNWLlu+39+OPm65BM5gVXxWB6+7fo8Lup0Ht+\n" + "NUqBEiRvjwoK64cu+ijQwn73osBKFrn1R5yOG2AVPwpczwN2pn+nOcrneOWUf2+j\n" + "ogLnsOqIWNJkBp86noqPAWgrGWiehM4gkpZHSAyYrEnz4J5Vh6n+AMB1XQIVAOyN\n" + "SUO7ARSfjdfcNzprvmjvBBtPAoGBAJXWoMvwnMYYeN3GbgGUMYCSwnKdY4OjXTzH\n" + "ZGdk3Eoo72lcQbvoIxBjqjeTrNlelBe0v5P64x2JnF/bsYKY5At9ckzayshESABS\n" + "GGbRtiuy1QVGauRYJuyPN0AVXISdjwO5gWroCRRITY24SjUYqeVB9/JXtWA2fyIg\n" + "PrLxTqXqAoGAPT91aEgwFdulzmHlvr3k+GBCE9z+hq0c3FGUCtGbVOqg2KPqMBgw\n" + "Sb4MC0msQys4DTVZhLJI+C5eIPEHgfBMqY1ZNJdOOSCQciDXnRfSqKbT6tjDTgR5\n" + "jmh5bG1Q8QFeBTHCDsQHoQYWgx0nyu12lASN80rCYMYCBhubtrVaLmcCFQC0IB4m\n" + "u1roOuaPY+Hl19BlTE2qdw==\n" + "-----END DSA PRIVATE KEY-----"; + + ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test"); + + CKM::Alias pub_alias = "dsa-T3086-ext-pub1"; + CKM::Alias pri_alias = "dsa-T3086-ext-prv1"; + char *pri_passwd = NULL; + char *pub_passwd = NULL; + ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA1; + ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING; + ckmc_raw_buffer_s *signature = NULL; + + ckmc_key_s pubkey; + pubkey.raw_key = reinterpret_cast(pub.data()); + pubkey.key_size = pub.size(); + pubkey.key_type = CKMC_KEY_NONE; + pubkey.password = NULL; + + ckmc_policy_s pubpolicy; + pubpolicy.password = pub_passwd; + pubpolicy.extractable = 1; + + ckmc_policy_s pripolicy; + pripolicy.password = pri_passwd; + pripolicy.extractable = 0; + + ckmc_key_s prikey; + prikey.raw_key = reinterpret_cast(priv.data()); + prikey.key_size = priv.size(); + prikey.key_type = CKMC_KEY_NONE; + prikey.password = NULL; + + AliasRemover removers[] = {pri_alias.c_str(), pub_alias.c_str()}; + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(pri_alias.c_str(), prikey, pripolicy)), + CKMCReadableError(temp)); + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(pub_alias.c_str(), pubkey, pubpolicy)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_create_signature( + pri_alias.c_str(), + pri_passwd, + msg_buff, + hash_algo, + pad_algo, + &signature)), + CKMCReadableError(temp)); + // positive test + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_verify_signature( + pub_alias.c_str(), + pub_passwd, + msg_buff, + *signature, + hash_algo, + pad_algo)), + CKMCReadableError(temp)); // DSA verification is broken in tef-simulator // negative test ckmc_raw_buffer_s invalid_msg_buff = prepare_message_buffer("invalid message test"); RUNNER_ASSERT_MSG( @@ -1808,37 +1911,122 @@ RUNNER_TEST(T3087_CAPI__dsa_int_key_create_verify_with_negative) ckmc_buffer_free(signature); } +// No support for EC import in tizen.org's TA. EC import is not required by E2EE. +#if ! defined(TZ_BACKEND) || defined(TZ_EC_IMPORT) +RUNNER_TEST(T3088_CAPI__ec_key_create_verify) +{ + int temp; + std::string prv = "-----BEGIN EC PRIVATE KEY-----\n" + "MHcCAQEEIN/iPh6OPn45v3kWIVhJOtiZ9VEW1GSPBpzw4LoJOPEQoAoGCCqGSM49\n" + "AwEHoUQDQgAE0jsycj6iyxVIAPueKzkztY664Rc0jVW7U95yK8Cy7wKcjUTX2Sis\n" + "sOOUyftV3/nUgPAnzWVQTDal15xH5waI+A==\n" + "-----END EC PRIVATE KEY-----\n"; + + std::string pub = "-----BEGIN PUBLIC KEY-----\n" + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0jsycj6iyxVIAPueKzkztY664Rc0\n" + "jVW7U95yK8Cy7wKcjUTX2SissOOUyftV3/nUgPAnzWVQTDal15xH5waI+A==\n" + "-----END PUBLIC KEY-----"; + + ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test"); + CKM::Alias pri_alias = "ecprv2"; + CKM::Alias pub_alias = "ecpub2"; + char *key_passwd = NULL; + char *pri_passwd = NULL; + char *pub_passwd = NULL; + ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256; + ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING; + ckmc_raw_buffer_s *signature; + + ckmc_key_s pubkey; + pubkey.raw_key = reinterpret_cast(pub.data()); + pubkey.key_size = pub.size(); + pubkey.key_type = CKMC_KEY_NONE; + pubkey.password = NULL; + + ckmc_policy_s pubpolicy; + pubpolicy.password = pub_passwd; + pubpolicy.extractable = 1; + + ckmc_key_s prikey; + prikey.raw_key = reinterpret_cast(prv.data()); + prikey.key_size = prv.size(); + prikey.key_type = CKMC_KEY_NONE; + prikey.password = key_passwd; + + ckmc_policy_s pripolicy; + + pripolicy.password = pri_passwd; + pripolicy.extractable = 0; + + AliasRemover removers[] = {pub_alias.c_str(), pri_alias.c_str()}; + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(pub_alias.c_str(), pubkey, pubpolicy)), + CKMCReadableError(temp)); + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(pri_alias.c_str(), prikey, pripolicy)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_create_signature( + pri_alias.c_str(), + pri_passwd, + msg_buff, + hash_algo, + pad_algo, + &signature)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_verify_signature( + pub_alias.c_str(), + pub_passwd, + msg_buff, + *signature, + hash_algo, + pad_algo)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG(signature->size > 6, "Signature is too small"); + memcpy((void*)signature->data, "BROKEN", 6); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_VERIFICATION_FAILED == (temp = ckmc_verify_signature( + pub_alias.c_str(), + pub_passwd, + msg_buff, + *signature, + hash_algo, + pad_algo)), + CKMCReadableError(temp)); + + ckmc_buffer_free(signature); +} + RUNNER_TEST(T3088_CAPI__ecdsa_cert_create_verify_signature) { int temp; - std::string prv = - "-----BEGIN EC PRIVATE KEY-----\n" - "MIH8AgEBBBRPb/2utS5aCtyuwmzIHpU6LH3mc6CBsjCBrwIBATAgBgcqhkjOPQEB\n" - "AhUA/////////////////////3////8wQwQU/////////////////////3////wE\n" - "FByXvvxUvXqLZaz4n4HU1K3FZfpFAxUAEFPN5CwU1pbmdodWFRdTO/P4M0UEKQRK\n" - "lrVojvVzKEZkaYlow4u5E8v8giOmKFUxaJR9WdzJEgQjUTd6xfsyAhUBAAAAAAAA\n" - "AAAAAfTI+Seu08p1IlcCAQGhLAMqAATehLqu61gKC3Tgr4wQMVoguAhhG3Uwwz8u\n" - "ELyhe7yPCAuOoLZlTLgf\n" + std::string prv = "-----BEGIN EC PRIVATE KEY-----\n" + "MHcCAQEEIN/iPh6OPn45v3kWIVhJOtiZ9VEW1GSPBpzw4LoJOPEQoAoGCCqGSM49\n" + "AwEHoUQDQgAE0jsycj6iyxVIAPueKzkztY664Rc0jVW7U95yK8Cy7wKcjUTX2Sis\n" + "sOOUyftV3/nUgPAnzWVQTDal15xH5waI+A==\n" "-----END EC PRIVATE KEY-----\n"; - std::string pub = - "-----BEGIN CERTIFICATE-----\n" - "MIICfDCCAjqgAwIBAgIJANIytpeTKlXBMAkGByqGSM49BAEwXjELMAkGA1UEBhMC\n" - "UEwxDTALBgNVBAgMBExvZHoxDTALBgNVBAcMBExvZHoxEDAOBgNVBAoMB1NhbXN1\n" - "bmcxETAPBgNVBAsMCFNlY3VyaXR5MQwwCgYDVQQDDANDS00wHhcNMTQwNzAyMTI0\n" - "MTQ3WhcNMTcwNzAxMTI0MTQ3WjBeMQswCQYDVQQGEwJQTDENMAsGA1UECAwETG9k\n" - "ejENMAsGA1UEBwwETG9kejEQMA4GA1UECgwHU2Ftc3VuZzERMA8GA1UECwwIU2Vj\n" - "dXJpdHkxDDAKBgNVBAMMA0NLTTCB6jCBuwYHKoZIzj0CATCBrwIBATAgBgcqhkjO\n" - "PQEBAhUA/////////////////////3////8wQwQU/////////////////////3//\n" - "//wEFByXvvxUvXqLZaz4n4HU1K3FZfpFAxUAEFPN5CwU1pbmdodWFRdTO/P4M0UE\n" - "KQRKlrVojvVzKEZkaYlow4u5E8v8giOmKFUxaJR9WdzJEgQjUTd6xfsyAhUBAAAA\n" - "AAAAAAAAAfTI+Seu08p1IlcCAQEDKgAE3oS6rutYCgt04K+MEDFaILgIYRt1MMM/\n" - "LhC8oXu8jwgLjqC2ZUy4H6NQME4wHQYDVR0OBBYEFELElWx3kbLo55Cfn1vywsEZ\n" - "ccsmMB8GA1UdIwQYMBaAFELElWx3kbLo55Cfn1vywsEZccsmMAwGA1UdEwQFMAMB\n" - "Af8wCQYHKoZIzj0EAQMxADAuAhUAumC4mGoyK97SxTvVBQ+ELfCbxEECFQCbMJ72\n" - "Q1oBry6NEc+lLFmWMDesAA==\n" - "-----END CERTIFICATE-----\n"; + std::string pub = "-----BEGIN CERTIFICATE-----\n" + "MIICOTCCAd+gAwIBAgIUZutYnkt/bslUp9cypmBWUEehLZQwCgYIKoZIzj0EAwIw\n" + "cjELMAkGA1UEBhMCS1IxDjAMBgNVBAgMBVNVV09OMQ4wDAYDVQQHDAVTVVdPTjEQ\n" + "MA4GA1UECgwHU0FNU1VORzELMAkGA1UECwwCVkQxJDAiBgNVBAMMG1NBTVNVTkcg\n" + "VEVTVCBFQyBDRVJUSUZJQ0FURTAeFw0yMzA3MTYxMjA0NTJaFw0yNDA3MTUxMjA0\n" + "NTJaMHIxCzAJBgNVBAYTAktSMQ4wDAYDVQQIDAVTVVdPTjEOMAwGA1UEBwwFU1VX\n" + "T04xEDAOBgNVBAoMB1NBTVNVTkcxCzAJBgNVBAsMAlZEMSQwIgYDVQQDDBtTQU1T\n" + "VU5HIFRFU1QgRUMgQ0VSVElGSUNBVEUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC\n" + "AATSOzJyPqLLFUgA+54rOTO1jrrhFzSNVbtT3nIrwLLvApyNRNfZKKyw45TJ+1Xf\n" + "+dSA8CfNZVBMNqXXnEfnBoj4o1MwUTAdBgNVHQ4EFgQUKEjYUsPZiOTVWX7c6wzd\n" + "VE/G5NUwHwYDVR0jBBgwFoAUKEjYUsPZiOTVWX7c6wzdVE/G5NUwDwYDVR0TAQH/\n" + "BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiBJYK+YXFme/yN0nwIiAw8SnAKy0I7s\n" + "fMkujlwV50KHWwIhAPaiSJdoKPPTX9pp0OZK0izd1xByAL5DSd4GSwLBOFWQ\n" + "-----END CERTIFICATE-----"; ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test"); @@ -1868,12 +2056,9 @@ RUNNER_TEST(T3088_CAPI__ecdsa_cert_create_verify_signature) ckmc_policy_s pripolicy; pripolicy.password = pri_passwd; -#ifdef TZ_BACKEND // TZ backend does not support EC key import - pripolicy.extractable = 1; -#else pripolicy.extractable = 0; -#endif + AliasRemover removers[] = {pri_alias.c_str(), pub_alias.c_str()}; RUNNER_ASSERT_MSG( CKMC_ERROR_NONE == (temp = ckmc_save_cert(pub_alias.c_str(), cert, certpolicy)), @@ -1914,7 +2099,274 @@ RUNNER_TEST(T3088_CAPI__ecdsa_cert_create_verify_signature) hash_algo, pad_algo)), CKMCReadableError(temp)); + + ckmc_buffer_free(signature); +} + +RUNNER_TEST(T3088_CAPI__ecdsa_secp384r1_cert_create_verify_signature) +{ + int temp; + + std::string prv = "-----BEGIN EC PRIVATE KEY-----\n" + "MIGkAgEBBDDFzD40r9xPqwmdaXYYx0ESTPxkhOeXybiFZqbmdmyLxJM/ORc4JQj9\n" + "uDjIYeEt7ZSgBwYFK4EEACKhZANiAATY6RDFr+SUF+0WiJkkkb7kTHLEBbYsOUy0\n" + "j/+rOp5tGPFiDZkzhN0QFZVlmCMIoMxBYHIzzehiIHczPI3nduZwkAXbH+EnTAWh\n" + "UJzskqPt4aJc7Fd4DmI0Rl5uBnGUFUI=\n" + "-----END EC PRIVATE KEY-----"; + + std::string pub = "-----BEGIN CERTIFICATE-----\n" + "MIICjTCCAhSgAwIBAgIUVeItRpAxFiAlnYPwihsWwHcTrk4wCgYIKoZIzj0EAwIw\n" + "fjELMAkGA1UEBhMCS1IxDjAMBgNVBAgMBVNVV09OMQ4wDAYDVQQHDAVTVVdPTjER\n" + "MA8GA1UECgwIU0FNU1VORyAxEzARBgNVBAsMClZEIFNBTVNVTkcxJzAlBgNVBAMM\n" + "HlZEIFNBTVNVTkcgRUMgQ0VSVElGSUNBVEUgVEVTVDAeFw0yMzA3MTYxMjQwNDVa\n" + "Fw0yNDA3MTUxMjQwNDVaMH4xCzAJBgNVBAYTAktSMQ4wDAYDVQQIDAVTVVdPTjEO\n" + "MAwGA1UEBwwFU1VXT04xETAPBgNVBAoMCFNBTVNVTkcgMRMwEQYDVQQLDApWRCBT\n" + "QU1TVU5HMScwJQYDVQQDDB5WRCBTQU1TVU5HIEVDIENFUlRJRklDQVRFIFRFU1Qw\n" + "djAQBgcqhkjOPQIBBgUrgQQAIgNiAATY6RDFr+SUF+0WiJkkkb7kTHLEBbYsOUy0\n" + "j/+rOp5tGPFiDZkzhN0QFZVlmCMIoMxBYHIzzehiIHczPI3nduZwkAXbH+EnTAWh\n" + "UJzskqPt4aJc7Fd4DmI0Rl5uBnGUFUKjUzBRMB0GA1UdDgQWBBSOsbmH3l7UrFfq\n" + "hkySFU544ymvtTAfBgNVHSMEGDAWgBSOsbmH3l7UrFfqhkySFU544ymvtTAPBgNV\n" + "HRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA2cAMGQCME89T0LZGkg87BBBmA6coE1t\n" + "z0UQrQFot9F4LJgfIjnezAFmcapQZ40tVn1FAB/DzgIwJsnlsmxoXyWtFxEL/I3r\n" + "mtPbpS5ZhwJEKqoxwuhf+uJAEIDiBHkCnYsqeTG1z/BA\n" + "-----END CERTIFICATE-----"; + + std::string pub1 = "-----BEGIN PUBLIC KEY-----\n" + "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2OkQxa/klBftFoiZJJG+5ExyxAW2LDlM\n" + "tI//qzqebRjxYg2ZM4TdEBWVZZgjCKDMQWByM83oYiB3MzyN53bmcJAF2x/hJ0wF\n" + "oVCc7JKj7eGiXOxXeA5iNEZebgZxlBVC\n" + "-----END PUBLIC KEY-----"; + + ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test"); + + CKM::Alias pri_alias = "prv4-secp384r1"; + CKM::Alias pub_alias = "pub4-secp384r1"; + CKM::Alias pub1_alias = "pub41-secp384r1"; + char *key_passwd = NULL; + char *pri_passwd = NULL; + char *pub_passwd = NULL; + ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256; + ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING; + ckmc_raw_buffer_s *signature; + + ckmc_cert_s cert; + cert.raw_cert = reinterpret_cast(pub.data()); + cert.cert_size = pub.size(); + cert.data_format = CKMC_FORM_PEM; + + ckmc_policy_s certpolicy; + certpolicy.password = pub_passwd; + certpolicy.extractable = 1; + + ckmc_key_s prikey; + prikey.raw_key = reinterpret_cast(prv.data()); + prikey.key_size = prv.size(); + prikey.key_type = CKMC_KEY_NONE; + prikey.password = key_passwd; + + ckmc_policy_s pripolicy; + pripolicy.password = pri_passwd; + pripolicy.extractable = 0; + + ckmc_key_s pubkey; + pubkey.raw_key = reinterpret_cast(pub1.data()); + pubkey.key_size = pub1.size(); + pubkey.key_type = CKMC_KEY_NONE; + pubkey.password = NULL; + + ckmc_policy_s pubpolicy; + pubpolicy.password = pub_passwd; + pubpolicy.extractable = 1; + + AliasRemover removers[] = {pub1_alias.c_str(), pub_alias.c_str(), pri_alias.c_str()}; + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(pub1_alias.c_str(), pubkey, pubpolicy)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_cert(pub_alias.c_str(), cert, certpolicy)), + CKMCReadableError(temp)); + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(pri_alias.c_str(), prikey, pripolicy)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_create_signature( + pri_alias.c_str(), + pri_passwd, + msg_buff, + hash_algo, + pad_algo, + &signature)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_verify_signature( + pub_alias.c_str(), + pub_passwd, + msg_buff, + *signature, + hash_algo, + pad_algo)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_verify_signature( + pub1_alias.c_str(), + pub_passwd, + msg_buff, + *signature, + hash_algo, + pad_algo)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG(signature->size > 6, "Signature is too small"); + memcpy((void*)signature->data, "BROKEN", 6); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_VERIFICATION_FAILED == (temp = ckmc_verify_signature( + pub_alias.c_str(), + pub_passwd, + msg_buff, + *signature, + hash_algo, + pad_algo)), + CKMCReadableError(temp)); + + ckmc_buffer_free(signature); +} + +RUNNER_TEST(T3088_CAPI__ecdsa_prime192v1_cert_create_verify_signature) +{ + int temp; + + std::string prv = "-----BEGIN EC PRIVATE KEY-----\n" + "MF8CAQEEGHWU30LHvJMYREv1I4veekMCGB6RtuIaxaAKBggqhkjOPQMBAaE0AzIA\n" + "BPftMWeqeqlS3EBL1VF12l/TTWqTTVDdL6q2uPIyLvIW5jn4EzJaPmd+QIOflZZX\n" + "ng==\n" + "-----END EC PRIVATE KEY-----"; + + std::string pub = "-----BEGIN CERTIFICATE-----\n" + "MIICKTCCAd+gAwIBAgIUcTQU6exo9T+FDohlh2DvFPWE7gAwCgYIKoZIzj0EAwIw\n" + "ejELMAkGA1UEBhMCS1IxDjAMBgNVBAgMBVNVV09OMQ4wDAYDVQQHDAVTVVdPTjEQ\n" + "MA4GA1UECgwHU0FNU1VORzETMBEGA1UECwwKVkQgU0FNU1VORzEkMCIGA1UEAwwb\n" + "U0FNU1VORyBURVNUIENFUlRJRklDQVRFIEVDMB4XDTIzMDcxNjEyMzczN1oXDTI0\n" + "MDcxNTEyMzczN1owejELMAkGA1UEBhMCS1IxDjAMBgNVBAgMBVNVV09OMQ4wDAYD\n" + "VQQHDAVTVVdPTjEQMA4GA1UECgwHU0FNU1VORzETMBEGA1UECwwKVkQgU0FNU1VO\n" + "RzEkMCIGA1UEAwwbU0FNU1VORyBURVNUIENFUlRJRklDQVRFIEVDMEkwEwYHKoZI\n" + "zj0CAQYIKoZIzj0DAQEDMgAE9+0xZ6p6qVLcQEvVUXXaX9NNapNNUN0vqra48jIu\n" + "8hbmOfgTMlo+Z35Ag5+Vlleeo1MwUTAdBgNVHQ4EFgQUZVBaYOnlL5e9AejboK1i\n" + "BfgEkFIwHwYDVR0jBBgwFoAUZVBaYOnlL5e9AejboK1iBfgEkFIwDwYDVR0TAQH/\n" + "BAUwAwEB/zAKBggqhkjOPQQDAgM4ADA1AhkAxFetQL2yNYyOheIgt3FEfMNqkkv3\n" + "5J/kAhhHDuSYogH8wBe4RtRy8xcQZ1Lu7pGVoBY=\n" + "-----END CERTIFICATE-----"; + + std::string pub1 = "-----BEGIN PUBLIC KEY-----\n" + "MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAE9+0xZ6p6qVLcQEvVUXXaX9NNapNN\n" + "UN0vqra48jIu8hbmOfgTMlo+Z35Ag5+Vllee\n" + "-----END PUBLIC KEY-----"; + + ckmc_raw_buffer_s msg_buff = prepare_message_buffer("message test"); + + CKM::Alias pri_alias = "prv4-prime192v1"; + CKM::Alias pub_alias = "pub4-prime192v1"; + CKM::Alias pub1_alias = "pub41-prime192v1"; + char *key_passwd = NULL; + char *pri_passwd = NULL; + char *pub_passwd = NULL; + ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256; + ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING; + ckmc_raw_buffer_s *signature; + + ckmc_cert_s cert; + cert.raw_cert = reinterpret_cast(pub.data()); + cert.cert_size = pub.size(); + cert.data_format = CKMC_FORM_PEM; + + ckmc_policy_s certpolicy; + certpolicy.password = pub_passwd; + certpolicy.extractable = 1; + + ckmc_key_s prikey; + prikey.raw_key = reinterpret_cast(prv.data()); + prikey.key_size = prv.size(); + prikey.key_type = CKMC_KEY_NONE; + prikey.password = key_passwd; + + ckmc_policy_s pripolicy; + pripolicy.password = pri_passwd; + pripolicy.extractable = 0; + + ckmc_key_s pubkey; + pubkey.raw_key = reinterpret_cast(pub1.data()); + pubkey.key_size = pub1.size(); + pubkey.key_type = CKMC_KEY_NONE; + pubkey.password = NULL; + + ckmc_policy_s pubpolicy; + pubpolicy.password = pub_passwd; + pubpolicy.extractable = 1; + + AliasRemover removers[] = {pub1_alias.c_str(), pub_alias.c_str(), pri_alias.c_str()}; + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(pub1_alias.c_str(), pubkey, pubpolicy)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_cert(pub_alias.c_str(), cert, certpolicy)), + CKMCReadableError(temp)); + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_save_key(pri_alias.c_str(), prikey, pripolicy)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_create_signature( + pri_alias.c_str(), + pri_passwd, + msg_buff, + hash_algo, + pad_algo, + &signature)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_verify_signature( + pub_alias.c_str(), + pub_passwd, + msg_buff, + *signature, + hash_algo, + pad_algo)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_NONE == (temp = ckmc_verify_signature( + pub1_alias.c_str(), + pub_passwd, + msg_buff, + *signature, + hash_algo, + pad_algo)), + CKMCReadableError(temp)); + + RUNNER_ASSERT_MSG(signature->size > 6, "Signature is too small"); + memcpy((void*)signature->data, "BROKEN", 6); + + RUNNER_ASSERT_MSG( + CKMC_ERROR_VERIFICATION_FAILED == (temp = ckmc_verify_signature( + pub_alias.c_str(), + pub_passwd, + msg_buff, + *signature, + hash_algo, + pad_algo)), + CKMCReadableError(temp)); + + ckmc_buffer_free(signature); } +#endif //! defined(TZ_BACKEND) || defined(TZ_EC_IMPORT) RUNNER_TEST(T3089_CAPI_deinit) { diff --git a/src/ckm/unprivileged/encryption-decryption.cpp b/src/ckm/unprivileged/encryption-decryption.cpp index 10e23e24..d87e46a6 100644 --- a/src/ckm/unprivileged/encryption-decryption.cpp +++ b/src/ckm/unprivileged/encryption-decryption.cpp @@ -170,7 +170,7 @@ ckmc_raw_buffer_s* IV11; ckmc_raw_buffer_s* IV12; ckmc_raw_buffer_s* IV15; ckmc_raw_buffer_s* IV17; -ckmc_raw_buffer_s* IV128; +ckmc_raw_buffer_s* IV63; ckmc_raw_buffer_s* AAD32; ckmc_raw_buffer_s* AAD64; @@ -227,7 +227,7 @@ public: IV12 = createRandomBufferCAPI(12); IV15 = createRandomBufferCAPI(15); IV17 = createRandomBufferCAPI(17); - IV128 = createRandomBufferCAPI(128); + IV63 = createRandomBufferCAPI(63); AAD32 = createRandomBufferCAPI(32); AAD64 = createRandomBufferCAPI(64); } @@ -290,7 +290,7 @@ public: PLAIN_DATA.reset(); ckmc_buffer_free(AAD64); ckmc_buffer_free(AAD32); - ckmc_buffer_free(IV128); + ckmc_buffer_free(IV63); ckmc_buffer_free(IV17); ckmc_buffer_free(IV15); ckmc_buffer_free(IV12); @@ -849,7 +849,7 @@ void testGcmDifferentIvSizes(const Algo& algo) #endif testGcmIvSize(IV12, aliases); testGcmIvSize(IV17, aliases); - testGcmIvSize(IV128, aliases); + testGcmIvSize(IV63, aliases); } void testEncryptDecryptBigData(const Algo& algo) diff --git a/src/ckm/unprivileged/key-derivation.cpp b/src/ckm/unprivileged/key-derivation.cpp index 84c6ece7..a5cab2f7 100644 --- a/src/ckm/unprivileged/key-derivation.cpp +++ b/src/ckm/unprivileged/key-derivation.cpp @@ -70,6 +70,30 @@ const RawBufferPtr CTX = create_raw_buffer(createRandomBufferCAPI(12)); const RawBufferPtr FIX = create_raw_buffer(createRandomBufferCAPI(36)); const RawBufferPtr ONE = create_raw_buffer(createRandomBufferCAPI(1)); +struct Algo +{ + ckmc_algo_type_e type; + size_t initVector; +}; + +ckmc_raw_buffer_s* DEFAULT_IV = nullptr; + +const Algo AES_GCM_ALGO = { CKMC_ALGO_AES_GCM, 16 }; +const Algo AES_CBC_ALGO = { CKMC_ALGO_AES_CBC, 16 }; + +ParamListPtr getDefaultParams(const Algo &algo) +{ + ckmc_param_list_h handle = nullptr; + + assert_positive(ckmc_generate_new_params, algo.type, &handle); + ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); + if (algo.type == CKMC_ALGO_RSA_OAEP) + return params; + + DEFAULT_IV = createRandomBufferCAPI(algo.initVector); + setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV); + return params; +} class EcdhGroupFixture: public DPL::Test::TestGroup { private: @@ -141,6 +165,7 @@ struct DerivedFixture void finish() { ckmc_remove_alias(DERIVED.c_str()); + ckmc_remove_alias(DERIVED2.c_str()); } }; @@ -240,6 +265,7 @@ public: return Test( false, len, prf, mode, location, context, label, fixed, rlen, llen, noSeparator); } + private: void Test(bool ok, const uint64_t* len, @@ -277,8 +303,6 @@ private: setParam(derive, CKMC_PARAM_KBKDF_NO_SEPARATOR, 1); if (ok) { - - #ifdef TZ_BACKEND assert_positive(ckmc_key_derive, derive.get(), @@ -301,6 +325,29 @@ private: RUNNER_ASSERT(derived_size == *len); #endif + const RawBufferPtr randomData = create_raw_buffer(createRandomBufferCAPI(16)); + ckmc_raw_buffer_s *encrypted = nullptr; + ckmc_raw_buffer_s *decrypted = nullptr; + ParamListPtr params = getDefaultParams(AES_CBC_ALGO); + + assert_positive(ckmc_encrypt_data, + params.get(), + DERIVED.c_str(), + nullptr, + *randomData.get(), + &encrypted); + + assert_positive(ckmc_decrypt_data, + params.get(), + DERIVED.c_str(), + nullptr, + *encrypted, + &decrypted); + + assert_buffers_equal(randomData.get(), decrypted); + + ckmc_buffer_free(encrypted); + ckmc_buffer_free(decrypted); assert_positive(ckmc_remove_alias, DERIVED.c_str()); } else { @@ -310,7 +357,7 @@ private: SECRET.c_str(), "", DERIVED.c_str(), - EXPORTABLE); + UNEXPORTABLE); } } }; @@ -495,7 +542,8 @@ RUNNER_TEST(TECDH_0210_different_curves, DerivedFixture) RUNNER_TEST(TECDH_0220_different_key_types, DerivedFixture) { - deriveEcdh(OURS.prv, "", RSA_EXPORTABLE.pub, DERIVED, UNEXPORTABLE, CKMC_ERROR_INVALID_PARAMETER); + // tizen.org TA can't export RSA keys + deriveEcdh(OURS.prv, "", RSA.pub, DERIVED, UNEXPORTABLE, CKMC_ERROR_INVALID_PARAMETER); deriveEcdh(RSA.prv, "", OURS.pub, DERIVED, UNEXPORTABLE, CKMC_ERROR_INVALID_PARAMETER); } @@ -506,7 +554,8 @@ RUNNER_TEST(TECDH_0230_public_instead_of_private, DerivedFixture) RUNNER_TEST(TECDH_0230_wrong_key_types, DerivedFixture) { - deriveEcdh(RSA.prv, "", RSA_EXPORTABLE.pub, DERIVED, UNEXPORTABLE, CKMC_ERROR_INVALID_PARAMETER); + // tizen.org TA can't export RSA keys + deriveEcdh(RSA.prv, "", RSA.pub, DERIVED, UNEXPORTABLE, CKMC_ERROR_INVALID_PARAMETER); } @@ -591,8 +640,32 @@ RUNNER_TEST(TKBKDF_0020_derive_from_derived, DerivedFixture) kbkdfParams.get(), DERIVED.c_str(), "", - "derived2", + DERIVED2.c_str(), UNEXPORTABLE); + + const RawBufferPtr randomData = create_raw_buffer(createRandomBufferCAPI(16)); + ckmc_raw_buffer_s *encrypted = nullptr; + ckmc_raw_buffer_s *decrypted = nullptr; + ParamListPtr params = getDefaultParams(AES_CBC_ALGO); + + assert_positive(ckmc_encrypt_data, + params.get(), + DERIVED2.c_str(), + nullptr, + *randomData.get(), + &encrypted); + + assert_positive(ckmc_decrypt_data, + params.get(), + DERIVED2.c_str(), + nullptr, + *encrypted, + &decrypted); + + assert_buffers_equal(randomData.get(), decrypted); + + ckmc_buffer_free(encrypted); + ckmc_buffer_free(decrypted); } RUNNER_TEST(TKBKDF_0030_unknown_alias, DerivedFixture) @@ -604,7 +677,7 @@ RUNNER_TEST(TKBKDF_0030_unknown_alias, DerivedFixture) "nonexistent-alias", "", DERIVED.c_str(), - EXPORTABLE); + UNEXPORTABLE); } RUNNER_TEST(TKBKDF_0040_wrong_password, DerivedFixture) @@ -616,7 +689,7 @@ RUNNER_TEST(TKBKDF_0040_wrong_password, DerivedFixture) SECRET.c_str(), "wrong-password", DERIVED.c_str(), - EXPORTABLE); + UNEXPORTABLE); } RUNNER_TEST(TKBKDF_0050_alias_exists, DerivedFixture) @@ -640,70 +713,60 @@ RUNNER_TEST(TKBKDF_0050_alias_exists, DerivedFixture) RUNNER_TEST(TKBKDF_0060_derived_password, DerivedFixture) { -#ifndef TZ_BACKEND auto kbkdfParams = getDefaultKBKDFParams(); assert_positive(ckmc_key_derive, kbkdfParams.get(), SECRET.c_str(), "", DERIVED.c_str(), - EXPORTABLE); - - ckmc_key_s *derived = nullptr; - assert_result( - CKMC_ERROR_AUTHENTICATION_FAILED, ckmc_get_key, DERIVED.c_str(), PASSWORD, &derived); - - assert_positive(ckmc_remove_alias, DERIVED.c_str()); - - assert_positive(ckmc_key_derive, - kbkdfParams.get(), - SECRET.c_str(), - "", - DERIVED.c_str(), - EXPORTABLE_PW); + UNEXPORTABLE_PW); - assert_result( - CKMC_ERROR_AUTHENTICATION_FAILED, ckmc_get_key, DERIVED.c_str(), "", &derived); - assert_positive(ckmc_get_key, DERIVED.c_str(), PASSWORD, &derived); - ckmc_key_free(derived); -#else - auto kbkdfParams = getDefaultKBKDFParams(); assert_positive(ckmc_key_derive, kbkdfParams.get(), SECRET.c_str(), "", - DERIVED.c_str(), - UNEXPORTABLE); - - assert_result(CKMC_ERROR_AUTHENTICATION_FAILED, - ckmc_key_derive, - kbkdfParams.get(), - DERIVED.c_str(), - PASSWORD, DERIVED2.c_str(), UNEXPORTABLE); - assert_positive(ckmc_remove_alias, DERIVED.c_str()); - - assert_positive(ckmc_key_derive, - kbkdfParams.get(), - SECRET.c_str(), - "", - DERIVED.c_str(), - UNEXPORTABLE_PW); + const RawBufferPtr randomData = create_raw_buffer(createRandomBufferCAPI(16)); + ckmc_raw_buffer_s *encrypted = nullptr; + ckmc_raw_buffer_s *decrypted = nullptr; + ParamListPtr params = getDefaultParams(AES_CBC_ALGO); assert_result(CKMC_ERROR_AUTHENTICATION_FAILED, - ckmc_key_derive, - kbkdfParams.get(), - DERIVED.c_str(), - "", - DERIVED2.c_str(), - UNEXPORTABLE); + ckmc_encrypt_data, + params.get(), + DERIVED.c_str(), + nullptr, + *randomData.get(), + &encrypted); - assert_positive(ckmc_remove_alias, DERIVED.c_str()); -#endif + assert_positive(ckmc_encrypt_data, + params.get(), + DERIVED.c_str(), + PASSWORD, + *randomData.get(), + &encrypted); + + assert_result(CKMC_ERROR_AUTHENTICATION_FAILED, + ckmc_decrypt_data, + params.get(), + DERIVED2.c_str(), + PASSWORD, + *encrypted, + &decrypted); + + assert_positive(ckmc_decrypt_data, + params.get(), + DERIVED2.c_str(), + "", + *encrypted, + &decrypted); + assert_buffers_equal(randomData.get(), decrypted); + ckmc_buffer_free(encrypted); + ckmc_buffer_free(decrypted); } RUNNER_TEST(TKBKDF_0070_unexportable, DerivedFixture) diff --git a/src/ckm/unprivileged/key-wrapping.cpp b/src/ckm/unprivileged/key-wrapping.cpp index 830469ed..d5a601c3 100644 --- a/src/ckm/unprivileged/key-wrapping.cpp +++ b/src/ckm/unprivileged/key-wrapping.cpp @@ -31,6 +31,7 @@ ckmc_raw_buffer_s* IV11 = nullptr; ckmc_raw_buffer_s* IV12 = nullptr; ckmc_raw_buffer_s* IV15 = nullptr; ckmc_raw_buffer_s* IV17 = nullptr; +ckmc_raw_buffer_s* IV63 = nullptr; ckmc_raw_buffer_s* IV128 = nullptr; ckmc_raw_buffer_s* AAD32 = nullptr; @@ -89,6 +90,7 @@ public: IV12 = createRandomBufferCAPI(12); IV15 = createRandomBufferCAPI(15); IV17 = createRandomBufferCAPI(17); + IV63 = createRandomBufferCAPI(63); IV128 = createRandomBufferCAPI(128); AAD32 = createRandomBufferCAPI(32); @@ -97,26 +99,27 @@ public: RSA_KEY_1024_PRV_ALIAS.c_str(), RSA_KEY_1024_PUB_ALIAS.c_str(), UNEXPORTABLE, - UNEXPORTABLE); + EXPORTABLE); assert_positive(ckmc_create_key_pair_rsa, 2048, RSA_KEY_2048_PRV_ALIAS.c_str(), RSA_KEY_2048_PUB_ALIAS.c_str(), UNEXPORTABLE, - UNEXPORTABLE); + EXPORTABLE); assert_positive(ckmc_create_key_pair_rsa, 4096, RSA_KEY_4096_PRV_ALIAS.c_str(), RSA_KEY_4096_PUB_ALIAS.c_str(), UNEXPORTABLE, - UNEXPORTABLE); + EXPORTABLE); assert_positive(ckmc_create_key_aes, 128, AES_KEY_128_ALIAS.c_str(), UNEXPORTABLE); assert_positive(ckmc_create_key_aes, 192, AES_KEY_192_ALIAS.c_str(), UNEXPORTABLE); assert_positive(ckmc_create_key_aes, 256, AES_KEY_256_ALIAS.c_str(), UNEXPORTABLE); assert_positive(ckmc_create_key_aes, 128, AES_KEY_128_PASS_ALIAS.c_str(), UNEXPORTABLE_PASS); + assert_positive(ckmc_create_key_aes, 128, AES_KEY_UNEXP_ALIAS.c_str(), UNEXPORTABLE); assert_positive(ckmc_create_key_aes, 128, AES_KEY_UNEXP_PASS_ALIAS.c_str(), UNEXPORTABLE_PASS); @@ -132,7 +135,7 @@ public: ckmc_buffer_free(DEFAULT_IV); ckmc_buffer_free(AAD64); ckmc_buffer_free(AAD32); - ckmc_buffer_free(IV128); + ckmc_buffer_free(IV63); ckmc_buffer_free(IV17); ckmc_buffer_free(IV15); ckmc_buffer_free(IV12); @@ -252,7 +255,7 @@ void testInvalidAlgoParameters(const ParamListPtr &invalidParams, const Algo &al nullptr, IMPORTED_ALIAS.c_str(), aesKey, - EXPORTABLE); + UNEXPORTABLE); ckmc_buffer_free(encrypted); ckmc_key_free(aesKey); @@ -290,7 +293,7 @@ void testImportInvalidBuffLen(const Algo &algo, nullptr, IMPORTED_ALIAS.c_str(), aesKey, - EXPORTABLE); + UNEXPORTABLE); ckmc_buffer_free(encrypted); ckmc_key_free(aesKey); } @@ -343,24 +346,43 @@ void testImportValidArgs(const Algo &algo, int buffLen, const Alias &wrappingKeyAlias, Alias unwrappingKeyAlias = ""){ - if (unwrappingKeyAlias.empty()) unwrappingKeyAlias = wrappingKeyAlias; ParamListPtr params = getDefaultParams(algo); - RawBufferPtr plainKey = encryptAndImport(params, - buffLen, - wrappingKeyAlias, + RawBufferPtr plainData = create_raw_buffer(createRandomBufferCAPI(buffLen)); + + ckmc_raw_buffer_s *encrypted = nullptr; + ckmc_key_s *aesKey = nullptr; + + assert_positive(ckmc_encrypt_data, + params.get(), + wrappingKeyAlias.c_str(), + nullptr, + *plainData.get(), + &encrypted); + + assert_positive(ckmc_key_new, + encrypted->data, + encrypted->size, + CKMC_KEY_AES, nullptr, - unwrappingKeyAlias, + &aesKey); + + AliasRemover remover(IMPORTED_ALIAS.c_str()); + assert_positive(ckmc_import_wrapped_key, + params.get(), + unwrappingKeyAlias.c_str(), nullptr, IMPORTED_ALIAS.c_str(), + aesKey, UNEXPORTABLE); - assert_aes_key_value(IMPORTED_ALIAS, nullptr, plainKey); + ckmc_buffer_free(encrypted); + ckmc_key_free(aesKey); - ckmc_remove_key(IMPORTED_ALIAS.c_str()); + assert_aes_key_value(IMPORTED_ALIAS, nullptr, plainData); } void testImportRSAHashes(int buffLen, @@ -400,23 +422,54 @@ void testBadWrappedKey(const Algo &algo){ nullptr, IMPORTED_ALIAS.c_str(), wrongKey, - EXPORTABLE); + UNEXPORTABLE); ckmc_key_free(wrongKey); } -#ifndef TZ_BACKEND void testExportableImported(const Algo &algo, int buffLen, const Alias &wrappingKeyAlias, const char* wrappingKeyPass, - const ckmc_policy_s &importedKeyPolicy, const char* importedKeyPass){ + ParamListPtr params = getDefaultParams(algo); + ckmc_policy_s importedKeyPolicy = { const_cast(importedKeyPass), true }; + +#ifdef TZ_BACKEND + RawBufferPtr plainData = create_raw_buffer(createRandomBufferCAPI(buffLen)); + + ckmc_raw_buffer_s *encrypted = nullptr; + ckmc_key_s *aesKey = nullptr; + + assert_positive(ckmc_encrypt_data, + params.get(), + wrappingKeyAlias.c_str(), + wrappingKeyPass, + *plainData.get(), + &encrypted); + + assert_positive(ckmc_key_new, + encrypted->data, + encrypted->size, + CKMC_KEY_AES, + nullptr, + &aesKey); + + // can't import exportable key into into TZ backend + assert_invalid_param(ckmc_import_wrapped_key, + params.get(), + wrappingKeyAlias.c_str(), + wrappingKeyPass, + IMPORTED_ALIAS.c_str(), + aesKey, + importedKeyPolicy); + + ckmc_key_free(aesKey); + ckmc_buffer_free(encrypted); +#else ckmc_key_s *ppKey = nullptr; ckmc_raw_buffer_s* finalData = nullptr; - ParamListPtr params = getDefaultParams(algo); - RawBufferPtr plainData = encryptAndImport(params, buffLen, wrappingKeyAlias, @@ -439,8 +492,8 @@ void testExportableImported(const Algo &algo, ckmc_buffer_free(finalData); ckmc_key_free(ppKey); ckmc_remove_key(IMPORTED_ALIAS.c_str()); -} #endif +} void importKey(const Algo &algo, int buffLen, @@ -787,7 +840,7 @@ RUNNER_TEST(TKW_NO_ADDED_ALGO){ nullptr, IMPORTED_ALIAS.c_str(), aesKey, - EXPORTABLE); + UNEXPORTABLE); ckmc_buffer_free(encrypted); ckmc_key_free(aesKey); } @@ -885,7 +938,7 @@ RUNNER_TEST(TKW_UNKNOWN_ALIAS_WRAPPING_KEY){ nullptr, IMPORTED_ALIAS.c_str(), key, - EXPORTABLE); + UNEXPORTABLE); ckmc_key_free(key); } @@ -901,7 +954,7 @@ RUNNER_TEST(TKW_EXISTING_ALIAS_WRAPPING_KEY){ nullptr, IMP_AES_CTR.c_str(), key, - EXPORTABLE); + UNEXPORTABLE); ckmc_key_free(key); } @@ -918,13 +971,12 @@ RUNNER_TEST(TKW_INVALID_ALIAS_IMPORT){ nullptr, invalidAlias.c_str(), key, - EXPORTABLE); + UNEXPORTABLE); ckmc_key_free(key); } RUNNER_TEST(TKW_BAD_WRAPPED_KEY){ - testBadWrappedKey(AES_CBC_ALGO); testBadWrappedKey(AES_GCM_ALGO); testBadWrappedKey(RSA_OAEP_ALGO); } @@ -957,7 +1009,7 @@ RUNNER_TEST(TKW_NULL_PARAMETER){ nullptr, IMPORTED_ALIAS.c_str(), aesKey, - EXPORTABLE); + UNEXPORTABLE); assert_invalid_param(ckmc_import_wrapped_key, params.get(), @@ -965,7 +1017,7 @@ RUNNER_TEST(TKW_NULL_PARAMETER){ nullptr, IMPORTED_ALIAS.c_str(), aesKey, - EXPORTABLE); + UNEXPORTABLE); assert_invalid_param(ckmc_import_wrapped_key, params.get(), @@ -973,7 +1025,7 @@ RUNNER_TEST(TKW_NULL_PARAMETER){ nullptr, nullptr, aesKey, - EXPORTABLE); + UNEXPORTABLE); assert_invalid_param(ckmc_import_wrapped_key, params.get(), @@ -981,7 +1033,7 @@ RUNNER_TEST(TKW_NULL_PARAMETER){ nullptr, IMPORTED_ALIAS.c_str(), nullptr, - EXPORTABLE); + UNEXPORTABLE); ckmc_buffer_free(encrypted); ckmc_key_free(aesKey); } @@ -1013,7 +1065,7 @@ RUNNER_TEST(TKW_WRONG_WRAPPED_KEY_TYPE){ nullptr, IMPORTED_ALIAS.c_str(), aesKey, - EXPORTABLE); + UNEXPORTABLE); ckmc_buffer_free(encrypted); ckmc_key_free(aesKey); } @@ -1205,19 +1257,17 @@ RUNNER_TEST(TKW_WRONG_TYPE_WRAPPING_KEY){ testImportInvalidBuffLen(RSA_OAEP_ALGO, 32, RSA_KEY_4096_PUB_ALIAS, RSA_KEY_4096_PUB_ALIAS); } -#ifndef TZ_BACKEND RUNNER_TEST(TKW_DIF_POLICIES_EXPORTABLE_IMPORTED){ - testExportableImported(AES_CTR_ALGO, 16, AES_KEY_128_ALIAS, nullptr, EXPORTABLE, nullptr); - testExportableImported(AES_CTR_ALGO, 16, AES_KEY_128_PASS_ALIAS, KEY_PASSWORD, EXPORTABLE, nullptr); - testExportableImported(AES_CTR_ALGO, 16, AES_KEY_UNEXP_ALIAS, nullptr, EXPORTABLE, nullptr); - testExportableImported(AES_CTR_ALGO, 16, AES_KEY_UNEXP_PASS_ALIAS, KEY_PASSWORD, EXPORTABLE, nullptr); + testExportableImported(AES_CTR_ALGO, 16, AES_KEY_128_ALIAS, nullptr, nullptr); + testExportableImported(AES_CTR_ALGO, 16, AES_KEY_128_PASS_ALIAS, KEY_PASSWORD, nullptr); + testExportableImported(AES_CTR_ALGO, 16, AES_KEY_UNEXP_ALIAS, nullptr, nullptr); + testExportableImported(AES_CTR_ALGO, 16, AES_KEY_UNEXP_PASS_ALIAS, KEY_PASSWORD, nullptr); - testExportableImported(AES_CTR_ALGO, 16, AES_KEY_128_ALIAS, nullptr, EXPORTABLE_PASS, KEY_PASSWORD); - testExportableImported(AES_CTR_ALGO, 16, AES_KEY_128_PASS_ALIAS, KEY_PASSWORD, EXPORTABLE_PASS, KEY_PASSWORD); - testExportableImported(AES_CTR_ALGO, 16, AES_KEY_UNEXP_ALIAS, nullptr, EXPORTABLE_PASS, KEY_PASSWORD); - testExportableImported(AES_CTR_ALGO, 16, AES_KEY_UNEXP_PASS_ALIAS, KEY_PASSWORD, EXPORTABLE_PASS, KEY_PASSWORD); + testExportableImported(AES_CTR_ALGO, 16, AES_KEY_128_ALIAS, nullptr, KEY_PASSWORD); + testExportableImported(AES_CTR_ALGO, 16, AES_KEY_128_PASS_ALIAS, KEY_PASSWORD, KEY_PASSWORD); + testExportableImported(AES_CTR_ALGO, 16, AES_KEY_UNEXP_ALIAS, nullptr, KEY_PASSWORD); + testExportableImported(AES_CTR_ALGO, 16, AES_KEY_UNEXP_PASS_ALIAS, KEY_PASSWORD, KEY_PASSWORD); } -#endif RUNNER_TEST(TKW_UNEXPORTABLE_IMPORTED){ ckmc_key_s *ppKey = nullptr; @@ -1263,7 +1313,7 @@ RUNNER_TEST(TKW_EXPORT_WRONG_TYPE_WRAPPING_KEY){ "ECDSA-prv", "ECDSA-pub", UNEXPORTABLE, - UNEXPORTABLE); + EXPORTABLE); assert_invalid_param(ckmc_export_wrapped_key, params.get(), @@ -1452,6 +1502,8 @@ RUNNER_TEST(TKW_EXPORT_UNEXPORTABLE_WRAPPED_FORM){ RUNNER_TEST(TKW_IMPORT_EXPORT_WITH_DIF_KEYS_AND_ALGORITHMS){ testDiffKeysAndAlgorithms(AES_GCM_ALGO, AES_KEY_128_ALIAS, nullptr, AES_CTR_ALGO, AES_KEY_128_ALIAS, nullptr); testDiffKeysAndAlgorithms(AES_GCM_ALGO, AES_KEY_128_ALIAS, nullptr, AES_GCM_ALGO, AES_KEY_256_ALIAS, nullptr); + + // encryption is actually performed using the public part of the key testDiffKeysAndAlgorithms(AES_GCM_ALGO, AES_KEY_128_ALIAS, nullptr, RSA_OAEP_ALGO, RSA_KEY_1024_PRV_ALIAS, nullptr); } @@ -1464,7 +1516,7 @@ RUNNER_TEST(TKW_AES_GCM_WITH_ADD_IV_PARAM){ testImportExportCustomParameters(AES_GCM_ALGO, AES_KEY_192_ALIAS, nullptr, DEFAULT_IV, CKMC_PARAM_ED_AAD, AAD32); testImportExportCustomParameters(AES_GCM_ALGO, AES_KEY_256_ALIAS, nullptr, DEFAULT_IV, CKMC_PARAM_ED_AAD, AAD32); - testImportExportCustomParameters(AES_GCM_ALGO, AES_KEY_128_ALIAS, nullptr, IV128, CKMC_PARAM_ED_AAD, AAD64); + testImportExportCustomParameters(AES_GCM_ALGO, AES_KEY_128_ALIAS, nullptr, IV63, CKMC_PARAM_ED_AAD, AAD64); testImportExportCustomParameters(AES_GCM_ALGO, AES_KEY_128_ALIAS, nullptr, IV12, CKMC_PARAM_ED_AAD, AAD64); testImportExportCustomParameters(AES_GCM_ALGO, AES_KEY_128_ALIAS, nullptr, IV15, CKMC_PARAM_ED_AAD, AAD64); testImportExportCustomParameters(AES_GCM_ALGO, AES_KEY_128_ALIAS, nullptr, IV17, CKMC_PARAM_ED_AAD, AAD64); @@ -1483,19 +1535,24 @@ RUNNER_TEST(TKW_IMPORT_EXPORT_RSA_LABEL){ testImportExportCustomParameters(RSA_OAEP_ALGO, RSA_KEY_4096_PUB_ALIAS, nullptr, RSA_KEY_4096_PRV_ALIAS, nullptr, DEFAULT_IV, CKMC_PARAM_ED_LABEL, AAD64); } -#ifndef TZ_BACKEND RUNNER_TEST(TKW_RSA_WRAPPED_KEY){ + ParamListPtr params = getDefaultParams(AES_CTR_ALGO); + + AliasRemover removers[] = {"RPV", "RPB", "RPV2", "RPB2"}; + + // SW + assert_positive(ckmc_create_key_pair_rsa, 1024, "RPV", "RPB", EXPORTABLE, EXPORTABLE); + // TZ + assert_positive(ckmc_create_key_pair_rsa, 1024, "RPV2", "RPB2", UNEXPORTABLE, EXPORTABLE); + ckmc_raw_buffer_s *encrypted = nullptr; ckmc_raw_buffer_s *rsaKeyData = nullptr; - ckmc_key_s *ppKey = nullptr; ckmc_key_s *rsaKey = nullptr; ckmc_key_s *wrappedRsaKey = nullptr; + ckmc_key_s *exportedKey = nullptr; - ParamListPtr params = getDefaultParams(AES_CTR_ALGO); - - assert_positive(ckmc_create_key_pair_rsa, 1024, "RPV", "RPB", EXPORTABLE, EXPORTABLE); - assert_positive(ckmc_get_key, "RPV", nullptr, &rsaKey); + assert_positive(ckmc_get_key, "RPB", nullptr, &rsaKey); assert_positive(ckmc_buffer_new, rsaKey->raw_key, rsaKey->key_size, &rsaKeyData); assert_positive(ckmc_encrypt_data, @@ -1524,20 +1581,17 @@ RUNNER_TEST(TKW_RSA_WRAPPED_KEY){ params.get(), AES_KEY_256_ALIAS.c_str(), nullptr, - "RPV", + "RPV2", nullptr, - &ppKey); + &exportedKey); ckmc_buffer_free(rsaKeyData); ckmc_buffer_free(encrypted); ckmc_key_free(wrappedRsaKey); ckmc_key_free(rsaKey); - ckmc_key_free(ppKey); + ckmc_key_free(exportedKey); ckmc_remove_key(IMPORTED_ALIAS.c_str()); - ckmc_remove_key("RPB"); - ckmc_remove_key("RPV"); } -#endif RUNNER_TEST(TKW_IMPORT_EXPORT_AES_CTR){ testImportExportValidArgs(AES_CTR_ALGO, 16, AES_KEY_128_ALIAS, nullptr, UNEXPORTABLE, nullptr);