From: Dariusz Michaluk Date: Wed, 22 Jan 2020 12:17:02 +0000 (+0100) Subject: Merge branch 'ckm' into tizen X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e48c25dc3275d300739bddd87b3b59971859a89f;hp=36c1b5fe1d10be3fea5204ba2d372ea17c2707fa;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Merge branch 'ckm' into tizen Change-Id: Iac9d5cc6393e8598a33c783aabff77006046b187 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index bb04faf..9135436 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -34,7 +34,7 @@ INCLUDE(FindPkgConfig) ############################# compiler flags ################################## SET(CMAKE_C_FLAGS "-g") -SET(CMAKE_CXX_FLAGS "-g -std=c++0x") +SET(CMAKE_CXX_FLAGS "-g -std=c++14") SET(CMAKE_C_FLAGS_PROFILING "-O0 -pg") SET(CMAKE_CXX_FLAGS_PROFILING "-O0 -pg") SET(CMAKE_C_FLAGS_DEBUG "-O0 -ggdb") diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec index 2df0f8f..96a3bb9 100644 --- a/packaging/security-tests.spec +++ b/packaging/security-tests.spec @@ -34,6 +34,7 @@ BuildRequires: pkgconfig(vconf) BuildRequires: pkgconfig(libgum) >= 1.0.5 BuildRequires: pkgconfig(security-privilege-manager) BuildRequires: pkgconfig(libsystemd) +BuildRequires: openssl1.1 Requires: perf Requires: gdb Requires: diffutils diff --git a/src/ckm/CMakeLists.txt b/src/ckm/CMakeLists.txt index 9ccc124..97f1239 100644 --- a/src/ckm/CMakeLists.txt +++ b/src/ckm/CMakeLists.txt @@ -29,6 +29,10 @@ ENDIF (DEFINED SECURITY_MDFPP_STATE_ENABLED) ADD_DEFINITIONS("-DCKM_TEST_DIR=\"${CKM_TEST_DIR}\"") ADD_DEFINITIONS("-DCKM_RW_DATA_DIR=\"${CKM_RW_DATA_DIR}\"") +OPTION("TZ_BACKEND" OFF) +IF(TZ_BACKEND) + ADD_DEFINITIONS("-DTZ_BACKEND") +ENDIF(TZ_BACKEND) OPTION("TZ_BACKEND" OFF) IF(TZ_BACKEND) diff --git a/src/ckm/keys/pkcs12.tgz b/src/ckm/keys/pkcs12.tgz deleted file mode 100644 index 0dfe5e2..0000000 Binary files a/src/ckm/keys/pkcs12.tgz and /dev/null differ diff --git a/src/ckm/keys/pkcs12/HOWTO.txt b/src/ckm/keys/pkcs12/HOWTO.txt new file mode 100644 index 0000000..b1af637 --- /dev/null +++ b/src/ckm/keys/pkcs12/HOWTO.txt @@ -0,0 +1,131 @@ +This guideline explains how src/resource/pkcs.p12 is generated. + + +The certificate chain looks as follows (arrow denotes the signing): + +SERVER <-- CA_INT <-- CA + +That is the CA is a root CA, CA_INT is an intermediate/1st level CA, +and SERVER is a final/2nd level CA. + + +Files: +- ca.key, CA's private key used to sign CA_INT certificate +- ca.crt, CA's certificate used to verify a certificate chain (it's + the last certificate in the chain) +- ca-int.key, CA_INT's private key used to sign SERVER certificate +- ca-int.csr, CA_INT's certificate signing request (to be signed with + ca.key) +- ca-int.crt, CA_INT's certificate signed by CA +- server.key, SERVER's private key used to sign client certificates +- server.csr, SERVER's certificate signing request (to be signed with + ca-int.key) +- server.crt, SERVER's certificate signed by CA_INT +- chain.pem, chain of CA, CA_INT and SERVER certificates in PEM format + (can be used for validation) + + +Keys should be left untouched. In case they are lost they can be +regenerated with: + + openssl genrsa -out ca.key 1024 (or any other lenght) + + +Certificate signing requests + + Each certificate must have a different Common Name (CN). The command + for CSR generation will prompt you for it (and for other fields). + + +Openssl ca setup + + Openssl 1.1.1 requires root and intermediate CA certficates (that is + all 3 of above) to have a 'CA' set to 'true' in basicConstraints + extension. It applies to trusted certificates as well. The 'openssl + ca' tool allows that with proper configuration. Modifications in + /etc/ssl/openssl.cnf in [ CA_default ] section: + - set 'x509_extensions' to 'v3_ca' to add the v3 CA extension, + - set 'policy' to 'policy_anything' to get rid of strict CSR field + matching rules. + + Before 'openssl ca' can be used you have to provide a proper + directory structure for it. By default it needs a following hierarchy + in ./demoCA (paths can be modified in /etc/ssl/openssl.cnf): + - demoCA/ + - private/ + - cakey.pem - The private key used to sign the certificate. For + ca-int.csr it will be ca.key. + - cacert.pem - The certificate of the signing CA. For ca-int.csr it + will be ca.crt. + - index.txt - Empty file (touch index.txt) + - serial - A file with serial number (echo 1000 > serial) + + +Certificate generation + +- CA: + + Generate a self signed certificate (root ca): + + openssl req -key ca.key -new -x509 -days 3650 -sha256 -out ca.crt + +- CA_INT: + + Generate a signing request: + + openssl req -new -key ca.key -out ca-int.csr + + Sign the certificate using CA: + + openssl ca -days 3650 -notext -md sha256 -in ca-int.csr -out \ + ca-int.crt + +- SERVER: + + Generate a signing request: + + openssl req -new -key ca-int.key -out server.csr + + Sign the certificate using CA_INT: + + openssl ca -days 3650 -notext -md sha256 -in server.csr -out \ + server.crt + + +Export server private key, certificate and the rest of the chain to +pkcs12: + + cat ca.crt ca-int.crt > chain.pem + + openssl pkcs12 -export -out pkcs.p12 -inkey server.key -in server.crt \ + -certfile chain.pem + + +Useful commands + +- Display certificate info + + openssl x509 -in ca.crt -text -noout + +- Display csr info + + openssl req -in ca-int.csr -text -noout + +- Display pkcs12 contents in PEM format + + openssl pkcs12 -in pkcs.p12 -info + +- Display certificate purpose + + openssl x509 -in ca.crt -purpose + +- Sign a client's certificate with server one: + + openssl req -new -key server.key -out client.csr + openssl x509 -req -in client.csr -CA server.crt -CAkey server.key \ + -CAcreateserial -out client.crt -days 3650 + +- Verify a certficate against a local chain + + openssl verify -CAfile chain.pem client.crt + diff --git a/src/ckm/keys/pkcs12/ca-int.crt b/src/ckm/keys/pkcs12/ca-int.crt new file mode 100644 index 0000000..dea0763 --- /dev/null +++ b/src/ckm/keys/pkcs12/ca-int.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtzCCAiCgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlBM +MQ8wDQYDVQQIDAZQb2xhbmQxDzANBgNVBAcMBldhcnNhdzEQMA4GA1UECgwHU2Ft +c3VuZzEMMAoGA1UECwwDS1NGMRMwEQYDVQQDDAptLmthcnBpdWsyMSUwIwYJKoZI +hvcNAQkBFhZtLmthcnBpdWsyQHNhbXN1bmcuY29tMB4XDTE5MDYxMzExNTQ0OFoX +DTI5MDYxMDExNTQ0OFowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3Rh +dGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwR +Y2EtaW50QHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOEp +AxNNreF+HPTPznNdeUpcwXfJf5sDjfC9p648jDbiwu8fyEpWQyg1XnhoGc3ZST7o +u3c3oJq89rw5L8c4vxG6QHXE3NHzZOFpvu+tpyIcfoToBRUiKEmpt60SmixA9VVX +C9pUGRyUnjDI4Wuv2ZNw04lYgIGE9jdSMA+dSKYfAgMBAAGjUzBRMB0GA1UdDgQW +BBSvHyNEVaNf2+iZ79oCpVmniojtLzAfBgNVHSMEGDAWgBSIkmgdQrVdA6+R4OHY +kc1mlXOu7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAEo7oCMW +gApPBjArw/AyPWw4vxLH6U7/kxJFThVu5b1/6bwEpE8hHK9FRuCZKw1ydegyuuO8 +7JgshhHGBlDECa3INdshCk2xi02SDjWZhxJU8r0eIrji2PxqBI3fEpF2067K2DUS +vA1tUP253JYcln+xHxbZDUtzaoXM7LmN9tWx +-----END CERTIFICATE----- diff --git a/src/ckm/keys/pkcs12/ca-int.csr b/src/ckm/keys/pkcs12/ca-int.csr new file mode 100644 index 0000000..ecd6d3e --- /dev/null +++ b/src/ckm/keys/pkcs12/ca-int.csr @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBoTCCAQoCAQAwYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx +ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRY2Et +aW50QHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOEpAxNN +reF+HPTPznNdeUpcwXfJf5sDjfC9p648jDbiwu8fyEpWQyg1XnhoGc3ZST7ou3c3 +oJq89rw5L8c4vxG6QHXE3NHzZOFpvu+tpyIcfoToBRUiKEmpt60SmixA9VVXC9pU +GRyUnjDI4Wuv2ZNw04lYgIGE9jdSMA+dSKYfAgMBAAGgADANBgkqhkiG9w0BAQsF +AAOBgQC8b7cVVV4z5Bp/XxowzlfhMGL17EE2vgMwpCNNQ+fOpPrrEwmhyg0I4R5+ +iXrnxELVI/cqBUpS84ZHBlNgQAS8F9Wx6AU0yEUBcNqJiMjUreA56VZAfGb+/Sv+ +t6ZQrYtof38aaHfMxhYlCsZzuKGNWvQsLAgxvlBQgHEW9xsqHQ== +-----END CERTIFICATE REQUEST----- diff --git a/src/ckm/keys/pkcs12/ca-int.key b/src/ckm/keys/pkcs12/ca-int.key new file mode 100644 index 0000000..0b3b26e --- /dev/null +++ b/src/ckm/keys/pkcs12/ca-int.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXwIBAAKBgQDhKQMTTa3hfhz0z85zXXlKXMF3yX+bA43wvaeuPIw24sLvH8hK +VkMoNV54aBnN2Uk+6Lt3N6CavPa8OS/HOL8RukB1xNzR82Thab7vraciHH6E6AUV +IihJqbetEposQPVVVwvaVBkclJ4wyOFrr9mTcNOJWICBhPY3UjAPnUimHwIDAQAB +AoGBAMvEP+JCVHBTn4T2Y5IIL/JaS0RK+M6iwtvx50RJy2MIiP27N5n+wzwqQFqb +a27di+oA2Vck4pXnGSxyXIjhFBgWdLmryJM44DSVlWanb5n2A1GW291MGA8bGR/H +TCbsuaEm3Z2ggFighQAp2Zuao2lKuMDOgOzpu+0k7lqtfsqxAkEA8ZHC7ocrlRtM +EzafCi1htuwl9t02Do1q+wn8u5kbKPJ7q4ZNm/sUECfHBE7SbwxNxIEWKuZ5U8V4 +A42VPnO9gwJBAO6cT4IdILqxfxNPd97DY+rT64O/mPIJGC3cmDonf4kc+RuaqbT+ +D9WKp1cwmoeaJDrWbWFWi3cjBrrLd6JxzjUCQQC7s8Heq6Mesd4z065SLx8NDoMV +RZ+aQSJOO91oOzhSYc/cYHfvanGVeAL5AvIaHVpUBOWfogPGJtrxD9NWeoJXAkEA +n4CLwZ15AHOgT6dCqP2R8Crjd3l/YuPjbtzUQaOfpGdiuiokIaHnscZy4FzUH6tR +ZqdqDLROnEAkwn86pLNQtQJBAOAsXPLUpVuJEtPZB1CNLdFkRqkqgFNPnGSIUnTp ++f5H8AHCb1tX/QllL3s6phZ9qds0qrwNxQzgiVATXZyRov4= +-----END RSA PRIVATE KEY----- diff --git a/src/ckm/keys/pkcs12/ca.crt b/src/ckm/keys/pkcs12/ca.crt new file mode 100644 index 0000000..301187d --- /dev/null +++ b/src/ckm/keys/pkcs12/ca.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAk+gAwIBAgIJAOMDgLjsxef2MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJQTDEPMA0GA1UECAwGUG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNV +BAoMB1NhbXN1bmcxDDAKBgNVBAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjEl +MCMGCSqGSIb3DQEJARYWbS5rYXJwaXVrMkBzYW1zdW5nLmNvbTAeFw0xNDExMTMx +MTExNDFaFw0yNDExMTAxMTExNDFaMIGLMQswCQYDVQQGEwJQTDEPMA0GA1UECAwG +UG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNVBAoMB1NhbXN1bmcxDDAKBgNV +BAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjElMCMGCSqGSIb3DQEJARYWbS5r +YXJwaXVrMkBzYW1zdW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA +9VvZ3lG1y9a56vUr8s6a44VgSl8mCkIqxt1ds8lJ1GhNuEqtiL+yEq8DDfxulnI6 +xpnmQxFsKy+M14dNNjfAQ9cGiT0aJ8cLVZIRct3phmrUpse3iHpcuR/jwTSJkbwY +druBloGujhF3FDXX2gVHMZ/j+uePP86Q4cjS80CpORcCAwEAAaNQME4wHQYDVR0O +BBYEFIiSaB1CtV0Dr5Hg4diRzWaVc67uMB8GA1UdIwQYMBaAFIiSaB1CtV0Dr5Hg +4diRzWaVc67uMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAXTvQ6fhZ +SZhfd1DsNx+85ikyvPnSAffOWghJjJA2BMaHdKvoSJTHgBn29BmQSz0kSUM4GOM3 +ikD3aSEaqGJWXVUXxAx8vTe8qFfqr9RE0WsBmPPuWa2fwUaq2ttW5Je4UBs/9jiA +2UqgKbtqxvacHpGFoM86QxgV+52AA+Bwfzw= +-----END CERTIFICATE----- diff --git a/src/ckm/keys/pkcs12/ca.key b/src/ckm/keys/pkcs12/ca.key new file mode 100644 index 0000000..234a51a --- /dev/null +++ b/src/ckm/keys/pkcs12/ca.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQD1W9neUbXL1rnq9SvyzprjhWBKXyYKQirG3V2zyUnUaE24Sq2I +v7ISrwMN/G6WcjrGmeZDEWwrL4zXh002N8BD1waJPRonxwtVkhFy3emGatSmx7eI +ely5H+PBNImRvBh2u4GWga6OEXcUNdfaBUcxn+P6548/zpDhyNLzQKk5FwIDAQAB +AoGAR+4WkBuqTUj1FlGsAbHaLKt0UDlWwJknS0eoacWwFEpDxqx19WolfV67aYVA +snBolMKXg7/+0yZMhv8Ofr+XaHkPQplVVn9BwT0rmtEovJXwx+poRP9Bm3emglj/ +iYd8EkaXDlIXCtewtQW9JEIctWppntHj3TvA/h7FCXPN6SkCQQD/N7sn5S1gBkVh +dyXQKoyKsZDb7hMIS1q6cKwYCMf2UrsD1/lnr7xXkvORdL213MfueO8g0WkuKfRY +bDD6WGX1AkEA9hxiOlsgvermqLJkOlJffbSaM8n/6wtnM0HV+Vd9NfSBOmxFDXPO +vrvdgiDPENhbqTJSQVDsfzHilTpK7lEvWwJBAJLxHoOg0tg3pBiyxgWtic+M3q+R +ykl7QViY6KzJ2X98MIrM/Z7yMollZXE4+sVLwZ0O6fdGOr3GkBWc7TImVUUCQQC7 +pf6bQfof9Ce0fnf/I+ldHkPost7nJsWkBlGQkM2OQwP5OK4ZyK/dK76DxmI7FMwm +oJCo7nuzq6R4ZX7WYJ47AkBavxBDo/e9/0Vk5yrloGKW3f8RQXBJLcCkVUGyyJ3D +3gu/nafW4hzjSJniTjC1fOj0eb0OSg1JAvqHTYAnUsI7 +-----END RSA PRIVATE KEY----- diff --git a/src/ckm/keys/pkcs12/chain.pem b/src/ckm/keys/pkcs12/chain.pem new file mode 100644 index 0000000..b4b75e6 --- /dev/null +++ b/src/ckm/keys/pkcs12/chain.pem @@ -0,0 +1,51 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAk+gAwIBAgIJAOMDgLjsxef2MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJQTDEPMA0GA1UECAwGUG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNV +BAoMB1NhbXN1bmcxDDAKBgNVBAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjEl +MCMGCSqGSIb3DQEJARYWbS5rYXJwaXVrMkBzYW1zdW5nLmNvbTAeFw0xNDExMTMx +MTExNDFaFw0yNDExMTAxMTExNDFaMIGLMQswCQYDVQQGEwJQTDEPMA0GA1UECAwG +UG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNVBAoMB1NhbXN1bmcxDDAKBgNV +BAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjElMCMGCSqGSIb3DQEJARYWbS5r +YXJwaXVrMkBzYW1zdW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA +9VvZ3lG1y9a56vUr8s6a44VgSl8mCkIqxt1ds8lJ1GhNuEqtiL+yEq8DDfxulnI6 +xpnmQxFsKy+M14dNNjfAQ9cGiT0aJ8cLVZIRct3phmrUpse3iHpcuR/jwTSJkbwY +druBloGujhF3FDXX2gVHMZ/j+uePP86Q4cjS80CpORcCAwEAAaNQME4wHQYDVR0O +BBYEFIiSaB1CtV0Dr5Hg4diRzWaVc67uMB8GA1UdIwQYMBaAFIiSaB1CtV0Dr5Hg +4diRzWaVc67uMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAXTvQ6fhZ +SZhfd1DsNx+85ikyvPnSAffOWghJjJA2BMaHdKvoSJTHgBn29BmQSz0kSUM4GOM3 +ikD3aSEaqGJWXVUXxAx8vTe8qFfqr9RE0WsBmPPuWa2fwUaq2ttW5Je4UBs/9jiA +2UqgKbtqxvacHpGFoM86QxgV+52AA+Bwfzw= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICtzCCAiCgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlBM +MQ8wDQYDVQQIDAZQb2xhbmQxDzANBgNVBAcMBldhcnNhdzEQMA4GA1UECgwHU2Ft +c3VuZzEMMAoGA1UECwwDS1NGMRMwEQYDVQQDDAptLmthcnBpdWsyMSUwIwYJKoZI +hvcNAQkBFhZtLmthcnBpdWsyQHNhbXN1bmcuY29tMB4XDTE5MDYxMzExNTQ0OFoX +DTI5MDYxMDExNTQ0OFowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3Rh +dGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwR +Y2EtaW50QHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOEp +AxNNreF+HPTPznNdeUpcwXfJf5sDjfC9p648jDbiwu8fyEpWQyg1XnhoGc3ZST7o +u3c3oJq89rw5L8c4vxG6QHXE3NHzZOFpvu+tpyIcfoToBRUiKEmpt60SmixA9VVX +C9pUGRyUnjDI4Wuv2ZNw04lYgIGE9jdSMA+dSKYfAgMBAAGjUzBRMB0GA1UdDgQW +BBSvHyNEVaNf2+iZ79oCpVmniojtLzAfBgNVHSMEGDAWgBSIkmgdQrVdA6+R4OHY +kc1mlXOu7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAEo7oCMW +gApPBjArw/AyPWw4vxLH6U7/kxJFThVu5b1/6bwEpE8hHK9FRuCZKw1ydegyuuO8 +7JgshhHGBlDECa3INdshCk2xi02SDjWZhxJU8r0eIrji2PxqBI3fEpF2067K2DUS +vA1tUP253JYcln+xHxbZDUtzaoXM7LmN9tWx +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICjDCCAfWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYTELMAkGA1UEBhMCQVUx +EzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg +UHR5IEx0ZDEaMBgGA1UEAwwRY2EtaW50QHRlc3RtZS5jb20wHhcNMTkwNjEzMTIw +NzU5WhcNMjkwNjEwMTIwNzU5WjBhMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRowGAYD +VQQDDBFzZXJ2ZXJAdGVzdG1lLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +gYEAw4Jj7q00Gt8G55TPvZwhEL4Q74mEb0gvUy+ZQDAQpgUpfd79FAV1rKjvn5gC +DZuUCWvPYReTe0OMbb30iVDyHss6MEzhBjOFNxZybZbDULKDWxZTckC6GWZpmOJY +xuv2Kl/iRgYEvfyfLr2g1pL7PpLZDkcoHzc+BouQxEU+3nkCAwEAAaNTMFEwHQYD +VR0OBBYEFE8OYEtgOx9klZOaDcNJF6nkfeE6MB8GA1UdIwQYMBaAFK8fI0RVo1/b +6Jnv2gKlWaeKiO0vMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEA +pkpwMYqyEFl1fPGHbub4ieDxm9U+KSkMOoB3pB5atqvP4LJj7sGQL6qnRYiL5er3 +cyBaIQdKt/NqWR4LKrLGPsfIbtDesRAP8HfG5ZfxiRr4Z4PhdMzO4XVSihuoGUoh +DfQkQRjWw60PKpc9uQypCcHY5yWu/b+lPL5ydXKyU5o= +-----END CERTIFICATE----- diff --git a/src/ckm/keys/pkcs12/server.crt b/src/ckm/keys/pkcs12/server.crt new file mode 100644 index 0000000..40b6b69 --- /dev/null +++ b/src/ckm/keys/pkcs12/server.crt @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICjDCCAfWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYTELMAkGA1UEBhMCQVUx +EzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg +UHR5IEx0ZDEaMBgGA1UEAwwRY2EtaW50QHRlc3RtZS5jb20wHhcNMTkwNjEzMTIw +NzU5WhcNMjkwNjEwMTIwNzU5WjBhMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRowGAYD +VQQDDBFzZXJ2ZXJAdGVzdG1lLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +gYEAw4Jj7q00Gt8G55TPvZwhEL4Q74mEb0gvUy+ZQDAQpgUpfd79FAV1rKjvn5gC +DZuUCWvPYReTe0OMbb30iVDyHss6MEzhBjOFNxZybZbDULKDWxZTckC6GWZpmOJY +xuv2Kl/iRgYEvfyfLr2g1pL7PpLZDkcoHzc+BouQxEU+3nkCAwEAAaNTMFEwHQYD +VR0OBBYEFE8OYEtgOx9klZOaDcNJF6nkfeE6MB8GA1UdIwQYMBaAFK8fI0RVo1/b +6Jnv2gKlWaeKiO0vMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEA +pkpwMYqyEFl1fPGHbub4ieDxm9U+KSkMOoB3pB5atqvP4LJj7sGQL6qnRYiL5er3 +cyBaIQdKt/NqWR4LKrLGPsfIbtDesRAP8HfG5ZfxiRr4Z4PhdMzO4XVSihuoGUoh +DfQkQRjWw60PKpc9uQypCcHY5yWu/b+lPL5ydXKyU5o= +-----END CERTIFICATE----- diff --git a/src/ckm/keys/pkcs12/server.csr b/src/ckm/keys/pkcs12/server.csr new file mode 100644 index 0000000..11fc7f9 --- /dev/null +++ b/src/ckm/keys/pkcs12/server.csr @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBoTCCAQoCAQAwYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx +ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vy +dmVyQHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOCY+6t +NBrfBueUz72cIRC+EO+JhG9IL1MvmUAwEKYFKX3e/RQFdayo75+YAg2blAlrz2EX +k3tDjG299IlQ8h7LOjBM4QYzhTcWcm2Ww1Cyg1sWU3JAuhlmaZjiWMbr9ipf4kYG +BL38ny69oNaS+z6S2Q5HKB83PgaLkMRFPt55AgMBAAGgADANBgkqhkiG9w0BAQsF +AAOBgQCY3jWaE33hy1JVni9bLCUYwOz6VJVV8d1WWpSf7CpIgrXUQFPOIfO71jlf +Vn99iYCUIodq+9M9dyeNoU1mkAp2LpG3Y3DjePpIyM3zLLEM/CmQ9ZbuS/zKl5fO +KoItsRl0uFJEEEHw7lWxdRuIvzix5SFxTApiMPktjtCs/9eAew== +-----END CERTIFICATE REQUEST----- diff --git a/src/ckm/keys/pkcs12/server.key b/src/ckm/keys/pkcs12/server.key new file mode 100644 index 0000000..a1197d7 --- /dev/null +++ b/src/ckm/keys/pkcs12/server.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWwIBAAKBgQDDgmPurTQa3wbnlM+9nCEQvhDviYRvSC9TL5lAMBCmBSl93v0U +BXWsqO+fmAINm5QJa89hF5N7Q4xtvfSJUPIeyzowTOEGM4U3FnJtlsNQsoNbFlNy +QLoZZmmY4ljG6/YqX+JGBgS9/J8uvaDWkvs+ktkORygfNz4Gi5DERT7eeQIDAQAB +AoGAARIqx/js6yTDnesjxC8hwzy3TQic0Bs+Hx+IoGBjBvXKR2U8T6rD/UEjpuUn +RbnPcsnDZg3CAg/ZqhQ7TbFC0kPo+S6+wKsZGDWUUvnpMkdcZUqXel8GFhdnmeIh +22vYthP4TCbolxwXlwvuhu0PLZWhRO/Z+g37T3QENexqGv0CQQDmqJ9PDoUj5eUR +wWEqEPraoU6ARBUUX5EhmTT9g9/BXnhwumIOksDHcBqNUwNOlKCUlWfBOelO93Ys +PRW3QyejAkEA2P0tW/8iU4j+0a6DV+TUYFDTjD29y8KPw0Aj59591xD5eIPK3IgU +91vnmtvU/QR26PnMOx4OAPk9a7BtN62zMwJAIFV0950edtjMUr/cAgydTbadDYf9 +uHxpGN+kOQGahT3b/llyU36o/YwufK8tYH+fPxTulXyrwwEXlL3/ZFBKpwJAeLGS +Wlp2WGqZ+j2MdwYkDxLGKHprKHwnBN6XWjCKZGbfrGX6H2Jd7xyinaNrO/UQwxO2 +wqc7+NSpkk3G4jJuuwJAODYlk2Q+djE4jkjDc4xiqsQGBQlI2dlgzjRjIF4HWiLx +bIrI0uCCbGItx++hlvmDx7G8anBmIFfBWIaKdX0aWw== +-----END RSA PRIVATE KEY----- diff --git a/src/ckm/privileged/CMakeLists.txt b/src/ckm/privileged/CMakeLists.txt index c83e5b2..705562c 100644 --- a/src/ckm/privileged/CMakeLists.txt +++ b/src/ckm/privileged/CMakeLists.txt @@ -26,6 +26,9 @@ SET(EIV_KEY_TO_BE_IMPORTED "KeyOne16BytesLen") SET(EIV_PLAIN_MESSAGE "ShortTestMessage") SET(EIV_MESSAGE_ENCRYPTION_IV "abcdefghijklmnop") +SET(EIV_TEST_ASYM_XML_FILENAME "encrypted_initial_values_asym.xml") +SET(EIV_TEST_ASYM_XML ${CMAKE_CURRENT_SOURCE_DIR}/${EIV_TEST_ASYM_XML_FILENAME}) + # encrypt ShortTestMessage using the imported key and 'abcdefghijklmnop' IV EXECUTE_PROCESS( COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/aes_128_cbc_encrypt.sh ${EIV_KEY_TO_BE_IMPORTED} ${EIV_MESSAGE_ENCRYPTION_IV} @@ -38,18 +41,39 @@ IF(NOT ${EIV_ENCRYPTION_RESULT} STREQUAL "0") MESSAGE(FATAL_ERROR "Encryption failed: ${EIV_ENCRYPTION_STDERR}") ENDIF(NOT ${EIV_ENCRYPTION_RESULT} STREQUAL "0") +SET(EIV_FILES ${EIV_TEST_XML} ${EIV_TEST_ASYM_XML}) + # prepare initial values xml target -ADD_CUSTOM_COMMAND(OUTPUT ${EIV_TEST_XML} - COMMAND echo -n ${EIV_KEY_TO_BE_IMPORTED} > /tmp/key +ADD_CUSTOM_COMMAND(OUTPUT ${EIV_FILES} COMMAND echo -n THIS/STRING/MUST/BE/REPLACED/IN/REAL/DEVICE= | base64 --decode > /tmp/encryption_key - COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/key -k /tmp/encryption_key -n TEI_0 -t Key -s AES -b hardware -x ${EIV_TEST_XML} + + COMMAND echo -n ${EIV_KEY_TO_BE_IMPORTED} > /tmp/key + COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/key -k /tmp/encryption_key -n TEI_0 -t Key -s AES -b hardware > ${EIV_TEST_XML} + + COMMAND openssl genpkey -algorithm RSA -outform DER > /tmp/prvkey + COMMAND openssl rsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey + COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_RSA_PRV -t Key -s RSA_PRV > ${EIV_TEST_ASYM_XML} + COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_RSA_PUB -t Key -s RSA_PUB -x ${EIV_TEST_ASYM_XML} + + COMMAND openssl genpkey -algorithm RSA -outform PEM > /tmp/prvkey.pem + COMMAND openssl pkcs8 -topk8 -inform PEM -in /tmp/prvkey.pem -outform DER -nocrypt -out /tmp/prvkey + COMMAND openssl rsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey + COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_RSA_PKCS8_PRV -t Key -s RSA_PRV -x ${EIV_TEST_ASYM_XML} + COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_RSA_PKCS8_PUB -t Key -s RSA_PUB -x ${EIV_TEST_ASYM_XML} + + COMMAND openssl genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt dsa_paramgen_q_bits:160 > /tmp/params.pem + COMMAND openssl genpkey -paramfile /tmp/params.pem -outform DER > /tmp/prvkey + COMMAND openssl dsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey + COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_DSA_PRV -t Key -s DSA_PRV -x ${EIV_TEST_ASYM_XML} + COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_DSA_PUB -t Key -s DSA_PUB -x ${EIV_TEST_ASYM_XML} + COMMENT "Generating encrypted initial values test xml" VERBATIM ) -ADD_CUSTOM_TARGET(TARGET_EIV_TEST_XML DEPENDS ${EIV_TEST_XML}) +ADD_CUSTOM_TARGET(TARGET_EIV_TEST_XML DEPENDS ${EIV_FILES}) -INSTALL(FILES ${EIV_TEST_XML} DESTINATION ${CKM_TEST_DIR}) +INSTALL(FILES ${EIV_FILES} DESTINATION ${CKM_TEST_DIR}) # ckm-tests PKG_CHECK_MODULES(CKM_DEP @@ -90,6 +114,7 @@ TARGET_COMPILE_DEFINITIONS(${TARGET_CKM_PRIVILEGED_TESTS} PRIVATE EIV_ENCRYPTED_MESSAGE_HEX="${EIV_ENCRYPTED_MESSAGE_HEX}" PRIVATE EIV_MESSAGE_ENCRYPTION_IV="${EIV_MESSAGE_ENCRYPTION_IV}" PRIVATE EIV_TEST_XML_FILENAME="${EIV_TEST_XML_FILENAME}" + PRIVATE EIV_TEST_ASYM_XML_FILENAME="${EIV_TEST_ASYM_XML_FILENAME}" ) INSTALL(TARGETS ${TARGET_CKM_PRIVILEGED_TESTS} DESTINATION bin) diff --git a/src/ckm/privileged/aes_128_cbc_encrypt.sh b/src/ckm/privileged/aes_128_cbc_encrypt.sh index 69a74ee..baad9a8 100755 --- a/src/ckm/privileged/aes_128_cbc_encrypt.sh +++ b/src/ckm/privileged/aes_128_cbc_encrypt.sh @@ -1,4 +1,5 @@ -#!/bin/bash -e +#!/bin/bash +set -euo pipefail if [ "$#" -ne 2 ] then diff --git a/src/ckm/privileged/capi-access_control.cpp b/src/ckm/privileged/capi-access_control.cpp index f0328ed..db28b1c 100644 --- a/src/ckm/privileged/capi-access_control.cpp +++ b/src/ckm/privileged/capi-access_control.cpp @@ -37,6 +37,16 @@ const char* TEST_ALIAS2 = "test-alias2"; const char* TEST_ALIAS3 = "test-alias3"; const char* TEST_DATA = "dsflsdkghkslhglrtghierhgilrehgidsafasdffsgfdgdgfdgfdgfdgfdggf"; +const char* RSA_PUB_KEY_PEM = + "-----BEGIN PUBLIC KEY-----\n" + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2b1bXDa+S8/MGWnMkru4\n" + "T4tUddtZNi0NVjQn9RFH1NMa220GsRhRO56F77FlSVFKfSfVZKIiWg6C+DVCkcLf\n" + "zXJ/Z0pvwOQYBAqVMFjV6efQGN0JzJ1Unu7pPRiZl7RKGEI+cyzzrcDyrLLrQ2W7\n" + "0ZySkNEOv6Frx9JgC5NExuYY4lk2fQQa38JXiZkfyzif2em0px7mXbyf5LjccsKq\n" + "v1e+XLtMsL0ZefRcqsP++NzQAI8fKX7WBT+qK0HJDLiHrKOTWYzx6CwJ66LD/vvf\n" + "j55xtsKDLVDbsotvf8/m6VLMab+vqKk11TP4tq6yo0mwyTADvgl1zowQEO9I1W6o\n" + "zQIDAQAB\n" + "-----END PUBLIC KEY-----"; void allow_access_deprecated(const char* alias, const char* accessor, ckmc_access_right_e accessRights) { @@ -889,3 +899,156 @@ RUNNER_TEST(T3145_control_deprecated_remove_allowed, RemoveDataEnv) check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str()); } } + +RUNNER_TEST(utc_ckmc_get_key_alias_info_list_p) +{ + ckmc_alias_info_list_s* ppalias_list = NULL; + + int ret = ckmc_get_key_alias_info_list(&ppalias_list); + ckmc_alias_info_list_all_free(ppalias_list); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " << CKMCErrorToString(ret)); +} + +RUNNER_TEST(utc_ckmc_get_key_alias_info_list_n) +{ + int ret = ckmc_get_key_alias_info_list(NULL); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret)); +} + +RUNNER_TEST(utc_ckmc_get_cert_alias_info_list_p) +{ + ckmc_alias_info_list_s* ppalias_list = NULL; + + int ret = ckmc_get_cert_alias_info_list(&ppalias_list); + ckmc_alias_info_list_all_free(ppalias_list); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " << CKMCErrorToString(ret)); +} + +RUNNER_TEST(utc_ckmc_get_cert_alias_info_list_n) +{ + int ret = ckmc_get_cert_alias_info_list(NULL); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret)); +} + + +RUNNER_TEST(utc_ckmc_get_data_alias_info_list_p1) +{ + ckmc_alias_info_list_s* ppalias_list = NULL; + + int ret = ckmc_get_data_alias_info_list(&ppalias_list); + ckmc_alias_info_list_all_free(ppalias_list); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " << CKMCErrorToString(ret)); +} + + +RUNNER_TEST(utc_ckmc_get_data_alias_info_list_p2, RemoveDataEnv) +{ + ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1); + save_data(TEST_ALIAS, TEST_DATA); + + ckmc_alias_info_list_s* ppalias_list = NULL; + + int ret = ckmc_get_data_alias_info_list(&ppalias_list); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, returned: " << CKMCErrorToString(ret)); + + char* alias = NULL; + ret = ckmc_alias_info_get_alias(ppalias_list->info, &alias); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get alias, returned: " << CKMCErrorToString(ret)); + RUNNER_ASSERT_MSG(ppalias_list->next == NULL, "More elements returned"); + std::string aliasOrig = std::string(APP_LABEL_1) + " " + std::string(TEST_ALIAS); + RUNNER_ASSERT_MSG(strcmp(alias, aliasOrig.c_str()) == 0, "Invalid aliast returned : " << alias); + + ckmc_alias_info_list_all_free(ppalias_list); + +} + + +RUNNER_TEST(utc_ckmc_get_data_alias_info_list_n) +{ + int ret = ckmc_get_data_alias_info_list(NULL); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret)); +} + +RUNNER_TEST(utc_ckmc_alias_info_get_alias_p) +{ + ckmc_alias_info_list_s *ppalias_list, *tmp; + ckmc_key_s test_key; + ckmc_policy_s test_policy; + int ret; + char* current_alias; + const char* alias = "utc_ckmc_alias_info_get_alias_p_test_alias"; + bool foundAlias = false; + + test_key.raw_key = (unsigned char *)RSA_PUB_KEY_PEM; + test_key.key_size = strlen(RSA_PUB_KEY_PEM); + test_key.key_type = CKMC_KEY_RSA_PUBLIC; + test_key.password = NULL; + + test_policy.password = NULL; + test_policy.extractable = true; + + ret = ckmc_save_key(alias, test_key, test_policy); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret)); + + ret = ckmc_get_key_alias_info_list(&ppalias_list); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret)); + + tmp = ppalias_list; + + while (tmp) { + ret = ckmc_alias_info_get_alias(tmp->info, ¤t_alias); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret)); + if (strstr(current_alias, alias)) { + foundAlias = true; + break; + } + tmp = tmp->next; + } + ckmc_alias_info_list_all_free(ppalias_list); + ckmc_remove_key(alias); + RUNNER_ASSERT_MSG(foundAlias == true, "Expected to find alias, but alias not found"); +} + +RUNNER_TEST(utc_ckmc_alias_info_is_password_protected_p) +{ + ckmc_alias_info_list_s *ppalias_list, *tmp; + ckmc_key_s test_key; + ckmc_policy_s test_policy; + int ret; + char* current_alias; + const char* alias = "utc_ckmc_alias_info_get_alias_p_test_alias"; + bool foundAlias = false; + + test_key.raw_key = (unsigned char *)RSA_PUB_KEY_PEM; + test_key.key_size = strlen(RSA_PUB_KEY_PEM); + test_key.key_type = CKMC_KEY_RSA_PUBLIC; + test_key.password = NULL; + + test_policy.password = NULL; + test_policy.extractable = true; + + ret = ckmc_save_key(alias, test_key, test_policy); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret)); + + ret = ckmc_get_key_alias_info_list(&ppalias_list); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret)); + + tmp = ppalias_list; + + while (tmp) { + ret = ckmc_alias_info_get_alias(tmp->info, ¤t_alias); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret)); + if (strstr(current_alias, alias)) { + foundAlias = true; + bool is_password_protected; + ret = ckmc_alias_info_is_password_protected(tmp->info, &is_password_protected); + RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret)); + RUNNER_ASSERT(is_password_protected == false); + break; + } + tmp = tmp->next; + } + ckmc_alias_info_list_all_free(ppalias_list); + ckmc_remove_key(alias); + RUNNER_ASSERT(foundAlias == true); +} diff --git a/src/ckm/privileged/initial-values.cpp b/src/ckm/privileged/initial-values.cpp index ab3629b..3953ac1 100644 --- a/src/ckm/privileged/initial-values.cpp +++ b/src/ckm/privileged/initial-values.cpp @@ -63,40 +63,36 @@ std::string XML_3_EXPECTED_KEY_2_RSA = aliasWithLabel(ckmc_owner_id_system, " std::string XML_3_EXPECTED_CERT_1 = aliasWithLabel(ckmc_owner_id_system, "test3-cert1"); std::string XML_3_EXPECTED_DATA_1 = aliasWithLabel(ckmc_owner_id_system, "test3-data1"); -std::string format_src_path(const char *file) +auto format_dest_path(const char *file) { - return std::string(CKM_TEST_DIR) + std::string(file); + return std::string(CKM_RW_DATA_DIR "/initial_values/") + file; } -std::string format_dest_path(const char *file) -{ - return std::string(CKM_RW_DATA_DIR) + std::string( "/initial_values/") + std::string(file); +void test_not_exists(const char *file) { + const auto name = format_dest_path(file); + const bool file_exists = access(name.c_str(), F_OK) != -1; + RUNNER_ASSERT_MSG(!file_exists, "File " << name << " exists"); } -void copy_file(const std::string &from, const std::string &to) +void copy_file(const char *file) { - std::ifstream infile(from, std::ios_base::binary); - RUNNER_ASSERT_MSG(infile, "Input file " << from << " does not exist."); - std::ofstream outfile(to, std::ios_base::binary); - RUNNER_ASSERT_MSG(outfile, "Output file " << to << " does not exist. Reinstall key-manager."); + const auto src = std::string(CKM_TEST_DIR) + file; + const auto dest = format_dest_path(file); + std::ifstream infile(src, std::ios_base::binary); + RUNNER_ASSERT_MSG(infile, "Input file " << src << " does not exist."); + std::ofstream outfile(dest, std::ios_base::binary); + RUNNER_ASSERT_MSG(outfile, "Output file " << dest << " does not exist. Reinstall key-manager."); outfile << infile.rdbuf(); } -void restart_key_manager() +void restart_key_manager(const std::initializer_list files_to_copy = {}) { stop_service(MANAGER); + for (const auto f : files_to_copy) + copy_file(f); start_service(MANAGER); } -void test_exists(const std::string& name, bool expected) { - bool file_exists = (access( name.c_str(), F_OK ) != -1); - RUNNER_ASSERT_MSG(file_exists == expected, - "File " << name << " status: " << file_exists << - " while expected: " << expected); -} - -} - int hexToBin(char h) { if (h >= '0' && h <= '9') return h - '0'; @@ -117,6 +113,8 @@ CKM::RawBuffer hexToBin(std::string &hex) { return output; } +} // namespace + RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES); RUNNER_TEST(T6001_init) @@ -128,19 +126,10 @@ RUNNER_TEST(T6001_init) // restart the key-manager // check XML file doesn't exist - copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay)); - copy_file(format_src_path(XML_2_okay), format_dest_path(XML_2_okay)); - copy_file(format_src_path(XML_3_wrong), format_dest_path(XML_3_wrong)); - - test_exists(format_dest_path(XML_1_okay), true); - test_exists(format_dest_path(XML_2_okay), true); - test_exists(format_dest_path(XML_3_wrong), true); - - restart_key_manager(); - - test_exists(format_dest_path(XML_1_okay), false); - test_exists(format_dest_path(XML_2_okay), false); - test_exists(format_dest_path(XML_3_wrong), false); + const auto files = {XML_1_okay, XML_2_okay, XML_3_wrong}; + restart_key_manager(files); + for (const auto f : files) + test_not_exists(f); } RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP) @@ -269,8 +258,7 @@ RUNNER_TEST_TZ_BACKEND(T7000_Encrypted_initial_values, RemoveDataEnv<0>) std::string messageHex = EIV_ENCRYPTED_MESSAGE_HEX; std::string iv = EIV_MESSAGE_ENCRYPTION_IV; - copy_file(format_src_path(EIV_TEST_XML_FILENAME), format_dest_path(EIV_TEST_XML_FILENAME)); - restart_key_manager(); + restart_key_manager({EIV_TEST_XML_FILENAME}); CKM::CryptoAlgorithm algo; CKM::RawBuffer messageBin = hexToBin(messageHex); @@ -285,6 +273,44 @@ RUNNER_TEST_TZ_BACKEND(T7000_Encrypted_initial_values, RemoveDataEnv<0>) RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == EIV_PLAIN_MESSAGE, "Data does not match"); } +RUNNER_TEST_TZ_BACKEND(T7010_Encrypted_initial_values_asymmetric, RemoveDataEnv<0>) +{ + restart_key_manager({EIV_TEST_ASYM_XML_FILENAME}); + constexpr char testDataStr[] = "test-data"; + const CKM::RawBuffer testData(testDataStr, testDataStr+sizeof(testDataStr)-1); + CKM::RawBuffer encrypted, decrypted, signature; + CKM::CryptoAlgorithm algoRsa; + algoRsa.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::RSA_OAEP); + + auto mgr = CKM::Manager::create(); + int temp; + + #define MGR(OP, ...) do { RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->OP(__VA_ARGS__)), "Failed to " #OP " " << CKM::APICodeToString(temp)); } while (0) + + const auto rsaCrypt = [&](auto pub, auto prv) { + MGR(encrypt, algoRsa, pub, CKM::Password(), testData, encrypted); + RUNNER_ASSERT_MSG(testData != encrypted, "Data not encrypted"); + MGR(decrypt, algoRsa, prv, CKM::Password(), encrypted, decrypted); + RUNNER_ASSERT_MSG(testData == decrypted, "Data does not match"); + }; + + rsaCrypt("/System TEI_RSA_PUB", "/System TEI_RSA_PRV"); + rsaCrypt("/System TEI_RSA_PKCS8_PUB", "/System TEI_RSA_PKCS8_PRV"); + + const auto sign = [&](auto prv, auto pub, auto hash, auto pad) { + MGR(createSignature, prv, CKM::Password(), testData, hash, pad, signature); + MGR(verifySignature, pub, CKM::Password(), testData, signature, hash, pad); + }; + + constexpr auto rsaHashAlgo = CKM::HashAlgorithm::SHA512; + constexpr auto rsaPaddingAlgo = CKM::RSAPaddingAlgorithm::X931; + sign("/System TEI_RSA_PRV", "/System TEI_RSA_PUB", rsaHashAlgo, rsaPaddingAlgo); + sign("/System TEI_RSA_PKCS8_PRV", "/System TEI_RSA_PKCS8_PUB", rsaHashAlgo, rsaPaddingAlgo); + sign("/System TEI_DSA_PRV", "/System TEI_DSA_PUB", CKM::HashAlgorithm::SHA1, CKM::RSAPaddingAlgorithm::NONE); + + #undef MGR +} + /* TODO * - RW/RO location support (files removal, flag handling) * - item overwrite diff --git a/src/ckm/resource/pkcs.p12 b/src/ckm/resource/pkcs.p12 index 4548d51..3dff3d6 100644 Binary files a/src/ckm/resource/pkcs.p12 and b/src/ckm/resource/pkcs.p12 differ diff --git a/src/ckm/test-certs.cpp b/src/ckm/test-certs.cpp index ff137b1..939e11f 100644 --- a/src/ckm/test-certs.cpp +++ b/src/ckm/test-certs.cpp @@ -40,15 +40,15 @@ enum RawCertificateID { TEST_LEAF, // TEST_LEAF, signed by TEST_IM_CA, expires 2035 // third party - DIGICERT_ROOT_CA, // DIGICERT_ROOT_CA, (root CA), expires 10 Nov 2031 - DIGICERT_IM_CA, // DIGICERT_IM_CA, signed by DIGICERT_ROOT_CA, - // expires 22 Oct 2028 - FACEBOOK_COM, // FACEBOOK_COM, *.facebook.com - signed by DIGICERT_IM_CA, - // expires 22 Mar 2019 + BALTIMORE_CYBER_TRUST_ROOT, // Baltimore CyberTrust Root, (root CA), expires May 13, 2025 + MS_IT_TLS_CA_4, // Microsoft IT TLS CA 4, signed by Baltimore CyberTrust Root, + // expires May 20, 2024 + MICROSOFT_COM, // www.microsoft.com - signed by Microsoft IT TLS CA 4, + // expires January 16, 2020 // ocsp available chain on third party - MICROSOFT_IM_CA, // MICROSOFT_IM_CA, signed by Baltimore CyberTrust Root, expires 20 May 2024 - BING_COM, // BING, signed by MICROSOFT_IM_CA, expires 10 Jul 2019 + MS_IT_TLS_CA_2, // Microsoft IT TLS CA 2, signed by Baltimore CyberTrust Root, expires 20 May 2024 + BING_COM, // BING, signed by Microsoft IT TLS CA 2, expires 30 Apr 2021 // footer - last element in the set NO_CERT @@ -85,11 +85,11 @@ RawCertificateID toRawCertificateID(certificateID id) case certificateID::TEST_IM_CA: return RawCertificateID::TEST_IM_CA; case certificateID::TEST_LEAF: return RawCertificateID::TEST_LEAF; - case certificateID::THIRD_PARTY_ROOT_CA: return RawCertificateID::DIGICERT_ROOT_CA; - case certificateID::THIRD_PARTY_IM_CA: return RawCertificateID::DIGICERT_IM_CA; - case certificateID::THIRD_PARTY_LEAF: return RawCertificateID::FACEBOOK_COM; + case certificateID::THIRD_PARTY_ROOT_CA: return RawCertificateID::BALTIMORE_CYBER_TRUST_ROOT; + case certificateID::THIRD_PARTY_IM_CA: return RawCertificateID::MS_IT_TLS_CA_4; + case certificateID::THIRD_PARTY_LEAF: return RawCertificateID::MICROSOFT_COM; - case certificateID::OCSP_AVAILABLE_IM: return RawCertificateID::MICROSOFT_IM_CA; + case certificateID::OCSP_AVAILABLE_IM: return RawCertificateID::MS_IT_TLS_CA_2; case certificateID::OCSP_AVAILABLE_LEAF: return RawCertificateID::BING_COM; case certificateID::NO_CERT: return RawCertificateID::NO_CERT; @@ -186,230 +186,248 @@ CertMap initializeTestCerts() cm[RawCertificateID::TEST_LEAF].certPtr = createCert(raw_base64); } - // BING.COM, signed by MICROSOFT_IM_CA, expires 10 Jul 2019 + // BING, signed by Microsoft IT TLS CA 2, expires 30 Apr 2021 { std::string raw_base64( "-----BEGIN CERTIFICATE-----\n" - "MIIMAjCCCeqgAwIBAgITLQAAMpnXBx230XCKQgAAAAAymTANBgkqhkiG9w0BAQsF\n" + "MIIN+jCCC+KgAwIBAgITIAAGDxuOsc5CY0aDQgAAAAYPGzANBgkqhkiG9w0BAQsF\n" "ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT\n" "B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE\n" - "CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDUw\n" - "HhcNMTcwNzIwMTc0NzA4WhcNMTkwNzEwMTc0NzA4WjAXMRUwEwYDVQQDEwx3d3cu\n" - "YmluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6jsg+/7Dl\n" - "IrdgFOcaDlK3RQ9sIgkJsgpj+ZxAbIe3ziyimIxjVlHX87pqgXcNhaYNbCFD0iPm\n" - "+aUfbv4GDTLR+AIr8eSegqxZ+CBToYM67NhpVYra1KAvY4XgqxorO4FB9IWYJRqh\n" - "I3SZeZ3lLK5t9XuUMicG8l52nJfpPdXXvBca2wUCq8FHEObG81vJzESA0htLLPTj\n" - "dUWBQnXPiW5bqzlGHzzv8ISV6jtDLNNa5JRlhSlXho+6pCedhNF7MP4yTaantPvA\n" - "ELLRWX13VhjgoCcRCCu0s8rxW5DuVWl2Pb2iw35MFnNWlcoVwq0AjAfGA+xEba/W\n" - "Lid6qfkQctYjAgMBAAGjggfQMIIHzDAdBgNVHQ4EFgQUCYflhSl4MCAls91+3Gzt\n" - "pSmoA3AwCwYDVR0PBAQDAgSwMB8GA1UdIwQYMBaAFAj+JZ906ocEwry7jqg4XzPG\n" - "0WxlMIGsBgNVHR8EgaQwgaEwgZ6ggZuggZiGS2h0dHA6Ly9tc2NybC5taWNyb3Nv\n" - "ZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0El\n" - "MjA1LmNybIZJaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3Js\n" - "L01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0ElMjA1LmNybDCBhQYIKwYBBQUHAQEE\n" - "eTB3MFEGCCsGAQUFBzAChkVodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21z\n" - "Y29ycC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIwNS5jcnQwIgYIKwYBBQUH\n" - "MAGGFmh0dHA6Ly9vY3NwLm1zb2NzcC5jb20wPgYJKwYBBAGCNxUHBDEwLwYnKwYB\n" - "BAGCNxUIh9qGdYPu2QGCyYUbgbWeYYX062CBXYTS30KC55N6AgFkAgEQMB0GA1Ud\n" - "JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATBNBgNVHSAERjBEMEIGCSsGAQQBgjcq\n" - "ATA1MDMGCCsGAQUFBwIBFidodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21z\n" - "Y29ycC9jcHMwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcD\n" - "ATCCBW0GA1UdEQSCBWQwggVgggx3d3cuYmluZy5jb22CEGRpY3QuYmluZy5jb20u\n" - "Y26CEyoucGxhdGZvcm0uYmluZy5jb22CCiouYmluZy5jb22CCGJpbmcuY29tghZp\n" - "ZW9ubGluZS5taWNyb3NvZnQuY29tghMqLndpbmRvd3NzZWFyY2guY29tghljbi5p\n" - "ZW9ubGluZS5taWNyb3NvZnQuY29tghEqLm9yaWdpbi5iaW5nLmNvbYINKi5tbS5i\n" - "aW5nLm5ldIIOKi5hcGkuYmluZy5jb22CGGVjbi5kZXYudmlydHVhbGVhcnRoLm5l\n" - "dIINKi5jbi5iaW5nLm5ldIINKi5jbi5iaW5nLmNvbYIQc3NsLWFwaS5iaW5nLmNv\n" - "bYIQc3NsLWFwaS5iaW5nLm5ldIIOKi5hcGkuYmluZy5uZXSCDiouYmluZ2FwaXMu\n" - "Y29tgg9iaW5nc2FuZGJveC5jb22CFmZlZWRiYWNrLm1pY3Jvc29mdC5jb22CG2lu\n" - "c2VydG1lZGlhLmJpbmcub2ZmaWNlLm5ldIIOci5iYXQuYmluZy5jb22CECouci5i\n" - "YXQuYmluZy5jb22CEiouZGljdC5iaW5nLmNvbS5jboIPKi5kaWN0LmJpbmcuY29t\n" - "gg4qLnNzbC5iaW5nLmNvbYIQKi5hcHBleC5iaW5nLmNvbYIWKi5wbGF0Zm9ybS5j\n" - "bi5iaW5nLmNvbYINd3AubS5iaW5nLmNvbYIMKi5tLmJpbmcuY29tgg9nbG9iYWwu\n" - "YmluZy5jb22CEXdpbmRvd3NzZWFyY2guY29tgg5zZWFyY2gubXNuLmNvbYIRKi5i\n" - "aW5nc2FuZGJveC5jb22CGSouYXBpLnRpbGVzLmRpdHUubGl2ZS5jb22CDyouZGl0\n" - "dS5saXZlLmNvbYIYKi50MC50aWxlcy5kaXR1LmxpdmUuY29tghgqLnQxLnRpbGVz\n" - "LmRpdHUubGl2ZS5jb22CGCoudDIudGlsZXMuZGl0dS5saXZlLmNvbYIYKi50My50\n" - "aWxlcy5kaXR1LmxpdmUuY29tghUqLnRpbGVzLmRpdHUubGl2ZS5jb22CCzNkLmxp\n" - "dmUuY29tghNhcGkuc2VhcmNoLmxpdmUuY29tghRiZXRhLnNlYXJjaC5saXZlLmNv\n" - "bYIVY253ZWIuc2VhcmNoLmxpdmUuY29tggxkZXYubGl2ZS5jb22CDWRpdHUubGl2\n" - "ZS5jb22CEWZhcmVjYXN0LmxpdmUuY29tgg5pbWFnZS5saXZlLmNvbYIPaW1hZ2Vz\n" - "LmxpdmUuY29tghFsb2NhbC5saXZlLmNvbS5hdYIUbG9jYWxzZWFyY2gubGl2ZS5j\n" - "b22CFGxzNGQuc2VhcmNoLmxpdmUuY29tgg1tYWlsLmxpdmUuY29tghFtYXBpbmRp\n" - "YS5saXZlLmNvbYIObG9jYWwubGl2ZS5jb22CDW1hcHMubGl2ZS5jb22CEG1hcHMu\n" - "bGl2ZS5jb20uYXWCD21pbmRpYS5saXZlLmNvbYINbmV3cy5saXZlLmNvbYIcb3Jp\n" - "Z2luLmNud2ViLnNlYXJjaC5saXZlLmNvbYIWcHJldmlldy5sb2NhbC5saXZlLmNv\n" - "bYIPc2VhcmNoLmxpdmUuY29tghJ0ZXN0Lm1hcHMubGl2ZS5jb22CDnZpZGVvLmxp\n" - "dmUuY29tgg92aWRlb3MubGl2ZS5jb22CFXZpcnR1YWxlYXJ0aC5saXZlLmNvbYIM\n" - "d2FwLmxpdmUuY29tghJ3ZWJtYXN0ZXIubGl2ZS5jb22CE3dlYm1hc3RlcnMubGl2\n" - "ZS5jb22CFXd3dy5sb2NhbC5saXZlLmNvbS5hdYIUd3d3Lm1hcHMubGl2ZS5jb20u\n" - "YXUwDQYJKoZIhvcNAQELBQADggIBADTpW/UWeupk40OP6k4yxihKStswxwqPAfMR\n" - "mx4XyqmTAawAKRNM+6EZth1BQdPdOplwRTvs69kkmUHJH+ZjYXBezEACWkzEiNUQ\n" - "nzkRWajdSQIz08Ubj/mBD6U8xLYD+NXgiB0xNWabd8aiPsqPaj6I3qkNw4JvtgtH\n" - "ZQG1zlwC5/Lu6yV3DM3sKpQMyBmOnX6nVUiS0MTOzLgZOQzRk07nO7EXWGcKTmDB\n" - "jE8cqv5IA/jQ6gtaxCI5pDxfXK4ct7oQyoChfxOXcEDKMmMndFmg9ch5c4an/FRM\n" - "2cgzDfjR01A71LNUpLUdOjNV0T+ZEStqEpdyDFfjrHGDtzLyqEz3iyvvQFyjmlGh\n" - "6OtZXwjCPpnVSrKCmfJKio0kUxyq+6t5tZAQbPVgFKiMrVnU+sgvmNVip1toijyz\n" - "8vMVCkwJ2G++7xjJukoELMxZ50W4/SAMZLy1Asx02NBwYCu9+CTQPVnmPe7rmxhl\n" - "QRBOfDNa1+5jwRHY64YudEzKhWR1uqS3ABd/fk+TL86yuNYGAgxnOm1FtOGieRgV\n" - "iV3+NzC+bDbuUOtmbD/GvDGmRwJRcCTHL7jBmkHePh2ABY93NE/IbkaDP6l1Kw98\n" - "AfqkzSUxhqHXuThe7KIoX9/0zv4AA1WZFis1QvAG7dpl9eio6vCdC/73HvBAlqRL\n" - "+7Mb1uu0\n" + "CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDIw\n" + "HhcNMTkwNDMwMjA0ODAwWhcNMjEwNDMwMjA0ODAwWjAXMRUwEwYDVQQDEwx3d3cu\n" + "YmluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhIlPb0iP7\n" + "xRmUScK43QI7Ci/lvfMumWhRFAHcFzjIDHs74sq0B+ze8HW5PR6LWRe/d3yR5dC8\n" + "7gQs0qXGitzsP9vWJcpwKV273tlnWiEfgZx5tvNCFdHOqoYoHL3a8zed/JkGTEeX\n" + "ukGEX0TeBgCjcVTj5qRxJhjlWxs3AcB/q4f4vi3QG80TbSU2UO0lkvhvfs73C1jq\n" + "i7Zspia/YsMqcQ6X+APAZ+4guKjQr5q32tzj2FGtJO6ZmZuNV9Wwb32891UhwZ3D\n" + "2PrIcnCNlIQ1/Fah6im7Vc67qO2x/++r7gO7PtR8byCFnFuNUVQxhSIkCkj6FvPx\n" + "cYefok0wJ0VRAgMBAAGjggnIMIIJxDCCAfQGCisGAQQB1nkCBAIEggHkBIIB4AHe\n" + "AHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFqcApGzAAABAMA\n" + "RjBEAiAiASIs5j19VcTLbxcOGHQlIl62d3iy1FY8dnNq+6lebQIgchbSq2Qh78zs\n" + "mmucyslucBycij/FYUe3F1lNpJiB9KsAdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAl\n" + "CBcvo6odBxPTDAAAAWpwCkgDAAAEAwBHMEUCIQDx6RqcvDdfIY9qdAuaRFBVvSHN\n" + "ttpAzie3KP9AAiGvBwIgSMvjse/hJusDoRFnSTtX96ierTaqzQH4oDLLnW/Gwc0A\n" + "dQBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAWpwCkbmAAAEAwBG\n" + "MEQCICbYF6Lv93BFrwLguzmas/5gQ87fzRHkTaMxDSD7PlhRAiA/DXOeTcHaiUPQ\n" + "WsKbJ/7x9EWKvVisqtQMnYk6cBxbBwB2AESUZS6w7s6vxEAH2Kj+KMDa5oK+2Msx\n" + "tT/TM5a1toGoAAABanAKRtoAAAQDAEcwRQIgardRfR7bxwSGF212a603dXYz6O5z\n" + "YHpPks8/RR/AMzQCIQD4VYDD+2zVDHEjz8elkKEzhgzTdOMtc1yYhCU+eHAGkjAn\n" + "BgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMD4GCSsGAQQB\n" + "gjcVBwQxMC8GJysGAQQBgjcVCIfahnWD7tkBgsmFG4G1nmGF9OtggV2E0t9CgueT\n" + "egIBZAIBHTCBhQYIKwYBBQUHAQEEeTB3MFEGCCsGAQUFBzAChkVodHRwOi8vd3d3\n" + "Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUy\n" + "MENBJTIwMi5jcnQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLm1zb2NzcC5jb20w\n" + "HQYDVR0OBBYEFDcHtZt8HkKSRO8ETiTkCLixB9PaMAsGA1UdDwQEAwIEsDCCBW0G\n" + "A1UdEQSCBWQwggVgggx3d3cuYmluZy5jb22CEGRpY3QuYmluZy5jb20uY26CEyou\n" + "cGxhdGZvcm0uYmluZy5jb22CCiouYmluZy5jb22CCGJpbmcuY29tghZpZW9ubGlu\n" + "ZS5taWNyb3NvZnQuY29tghMqLndpbmRvd3NzZWFyY2guY29tghljbi5pZW9ubGlu\n" + "ZS5taWNyb3NvZnQuY29tghEqLm9yaWdpbi5iaW5nLmNvbYINKi5tbS5iaW5nLm5l\n" + "dIIOKi5hcGkuYmluZy5jb22CGGVjbi5kZXYudmlydHVhbGVhcnRoLm5ldIINKi5j\n" + "bi5iaW5nLm5ldIINKi5jbi5iaW5nLmNvbYIQc3NsLWFwaS5iaW5nLmNvbYIQc3Ns\n" + "LWFwaS5iaW5nLm5ldIIOKi5hcGkuYmluZy5uZXSCDiouYmluZ2FwaXMuY29tgg9i\n" + "aW5nc2FuZGJveC5jb22CFmZlZWRiYWNrLm1pY3Jvc29mdC5jb22CG2luc2VydG1l\n" + "ZGlhLmJpbmcub2ZmaWNlLm5ldIIOci5iYXQuYmluZy5jb22CECouci5iYXQuYmlu\n" + "Zy5jb22CEiouZGljdC5iaW5nLmNvbS5jboIPKi5kaWN0LmJpbmcuY29tgg4qLnNz\n" + "bC5iaW5nLmNvbYIQKi5hcHBleC5iaW5nLmNvbYIWKi5wbGF0Zm9ybS5jbi5iaW5n\n" + "LmNvbYINd3AubS5iaW5nLmNvbYIMKi5tLmJpbmcuY29tgg9nbG9iYWwuYmluZy5j\n" + "b22CEXdpbmRvd3NzZWFyY2guY29tgg5zZWFyY2gubXNuLmNvbYIRKi5iaW5nc2Fu\n" + "ZGJveC5jb22CGSouYXBpLnRpbGVzLmRpdHUubGl2ZS5jb22CDyouZGl0dS5saXZl\n" + "LmNvbYIYKi50MC50aWxlcy5kaXR1LmxpdmUuY29tghgqLnQxLnRpbGVzLmRpdHUu\n" + "bGl2ZS5jb22CGCoudDIudGlsZXMuZGl0dS5saXZlLmNvbYIYKi50My50aWxlcy5k\n" + "aXR1LmxpdmUuY29tghUqLnRpbGVzLmRpdHUubGl2ZS5jb22CCzNkLmxpdmUuY29t\n" + "ghNhcGkuc2VhcmNoLmxpdmUuY29tghRiZXRhLnNlYXJjaC5saXZlLmNvbYIVY253\n" + "ZWIuc2VhcmNoLmxpdmUuY29tggxkZXYubGl2ZS5jb22CDWRpdHUubGl2ZS5jb22C\n" + "EWZhcmVjYXN0LmxpdmUuY29tgg5pbWFnZS5saXZlLmNvbYIPaW1hZ2VzLmxpdmUu\n" + "Y29tghFsb2NhbC5saXZlLmNvbS5hdYIUbG9jYWxzZWFyY2gubGl2ZS5jb22CFGxz\n" + "NGQuc2VhcmNoLmxpdmUuY29tgg1tYWlsLmxpdmUuY29tghFtYXBpbmRpYS5saXZl\n" + "LmNvbYIObG9jYWwubGl2ZS5jb22CDW1hcHMubGl2ZS5jb22CEG1hcHMubGl2ZS5j\n" + "b20uYXWCD21pbmRpYS5saXZlLmNvbYINbmV3cy5saXZlLmNvbYIcb3JpZ2luLmNu\n" + "d2ViLnNlYXJjaC5saXZlLmNvbYIWcHJldmlldy5sb2NhbC5saXZlLmNvbYIPc2Vh\n" + "cmNoLmxpdmUuY29tghJ0ZXN0Lm1hcHMubGl2ZS5jb22CDnZpZGVvLmxpdmUuY29t\n" + "gg92aWRlb3MubGl2ZS5jb22CFXZpcnR1YWxlYXJ0aC5saXZlLmNvbYIMd2FwLmxp\n" + "dmUuY29tghJ3ZWJtYXN0ZXIubGl2ZS5jb22CE3dlYm1hc3RlcnMubGl2ZS5jb22C\n" + "FXd3dy5sb2NhbC5saXZlLmNvbS5hdYIUd3d3Lm1hcHMubGl2ZS5jb20uYXUwgawG\n" + "A1UdHwSBpDCBoTCBnqCBm6CBmIZLaHR0cDovL21zY3JsLm1pY3Jvc29mdC5jb20v\n" + "cGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDIuY3Js\n" + "hklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9z\n" + "b2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDIuY3JsME0GA1UdIARGMEQwQgYJKwYBBAGC\n" + "NyoBMDUwMwYIKwYBBQUHAgEWJ2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kv\n" + "bXNjb3JwL2NwczAfBgNVHSMEGDAWgBSRnjtEbD1XnEJ3KjTXT9HMSpcs2jAdBgNV\n" + "HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAA1g\n" + "NJF5ks5Qrg0/qeOXQbcO3SCs+HKTKxVL8QdaTL3s5gsmWQzcYNS671DmN4lEob2g\n" + "WWZKyKAzQbjDOcf9ndxX4+i+PaCw5K3uONbMOwnuOCwRvDy8YEoCb3OzKFX4sjzh\n" + "1HVL/ljKHUPT+9ap/SpYserNxixibqF2LZYx+9hwr1bcx9GWrg3CoFUFgSZqRQ14\n" + "eiK94iM5kzJLKynKPhez+UOwS5VRev1mxh5nD9hBPzXHHqI9mNWu/lyr7KPUMigi\n" + "QfKKZuqV6W3i1H3BoJi1uDkL3SJo1F39XN3AyGSAZWS9RNn5JzEQQGiJRjrz/PE1\n" + "vTg1BlbsPdKa4gGZGdGBWcj2eXZc+GbLpTy3qWlmJrEn2KGLeomyndlftRPFrBUH\n" + "/5Mio5OeSawjlacBV25fKaoZ1BPc3i+HGKd5ctddCy6kJsgdMD221zGvf/0uW25Z\n" + "ImzDeH7KkOcGbzyWJwBzDgra0RP+qRgK3aYPSWI81OLlnHJ2VOix/UU63NCK2fO/\n" + "URzE8KxoHrgRGXCE52viHv6ksL7QXWelbERU7GEpcZU1suPhDohn4CrfrCYCjpa5\n" + "Ys6ci7Rren82SsXJBfNrgm2U4lxWfzWj+2Ay6yATbdoOPntue8cbbMoTzoNMHQXD\n" + "2DpjtFPs8/RVOFQb0IFVluCrTAnHmI8tTtsmzg6z\n" "-----END CERTIFICATE-----\n"); cm[RawCertificateID::BING_COM].raw_base64 = raw_base64; cm[RawCertificateID::BING_COM].certPtr = createCert(raw_base64); } - // MICROSOFT_IM_CA, expires 20 May 2024 + // Microsoft IT TLS CA 2, signed by Baltimore CyberTrust Root, expires 20 May 2024 { std::string raw_base64( "-----BEGIN CERTIFICATE-----\n" - "MIIFtDCCBJygAwIBAgIQCIjNUl8ZJERNFKWCkd65UjANBgkqhkiG9w0BAQsFADBa\n" + "MIIFtDCCBJygAwIBAgIQDywQyVsGwJN/uNRJ+D6FaTANBgkqhkiG9w0BAQsFADBa\n" "MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl\n" "clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE2\n" - "MDUyMDEyNTMwM1oXDTI0MDUyMDEyNTMwM1owgYsxCzAJBgNVBAYTAlVTMRMwEQYD\n" + "MDUyMDEyNTE1N1oXDTI0MDUyMDEyNTE1N1owgYsxCzAJBgNVBAYTAlVTMRMwEQYD\n" "VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy\n" "b3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UE\n" - "AxMVTWljcm9zb2Z0IElUIFRMUyBDQSA1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n" - "MIICCgKCAgEAmt+BXDuPrul5lrmaeaeB8jnaVShGIwLFgmYHthXe/Zw6GpuRCdJm\n" - "jwuJF/hxhyF/ONM/miUAtzXQq/gIejbzUFvfKykn3qTdJJL69MZwjTYqmvCA3jX6\n" - "HkKdCYGq1QcKFqXFWkJtQr4eQoK0VzCZW0Ur1I/TCgbGc5Ok4YPvxb8FJ6d4zbML\n" - "4J4iFvOY3KYU6MyU1yP50FCZu7ULEJXx3wLpj46dVpk82I/TWPtckn49e/hQSVr3\n" - "EHt3+OZKkEpVUt6UrXQJoGRXLM0HkJ8WrZXD0Qa68e9sBbUErKncGzGbDi0ZlQRP\n" - "3mbLrTVyrxmCCLIUOhZfsDyb240MsALWJh/oFXHE7/ljOUOM6cKSLqHCoDAlDpYn\n" - "X56jK4LWEL08GR6mh/5VITpcQfwBmMwvkv9mOLS4ZpwPEmhLSqyGu16Y/56mnFNs\n" - "MxGk0K5SR9eLj/GWrLkpmo8s8a1kGMMmuwBk3lBwwLvsxmuu06DvwPFcDfLMelna\n" - "GDMvWRCtZxQsXyJDSkTh6N3g51UWTgnvA0wMSFBa8APfju9jyltnh0NALAa2Hw8+\n" - "U8BmP9cUFeYIYphIfoPlp7VdUS1ULWH9NF3Ut4DN0n3OsSQ785dsbBPeihfJivVI\n" - "lUL3EpDjEBf2oQDFNiplkZ4F7EIuWriZG//UTrX6ZlXZg46/CCmN+gsCAwEAAaOC\n" - "AUIwggE+MB0GA1UdDgQWBBQI/iWfdOqHBMK8u46oOF8zxtFsZTAfBgNVHSMEGDAW\n" + "AxMVTWljcm9zb2Z0IElUIFRMUyBDQSAyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n" + "MIICCgKCAgEAnqoVwRuhY1/mURjFFrsR3AtNm5EKukBJK9zWBgvFd1ksNEJFC06o\n" + "yRbwKPMflpW/HtOfzIeBliGk57MwZq18bgASr70sPUWuoD917HUgBfxBYoF8zA7Z\n" + "Ie5zAHODFboJL7Fg/apgbQs/GiZZNCi0QkQUWzw0nTUmVSNQ0mz6pCu95Dv1WMsL\n" + "GyPGfdN9zD3Q/QEDyJ695QgjRIxYA1DUE+54ti2k6r0ycKFQYkyWwZ25HD1h2kYt\n" + "3ovW85vF6y7tjTqUEcLbgKUCB81/955hdLLsbFd6f9o2PkU8xuOc3U+bUedvv6Sb\n" + "tvGjBEZeFyH8/CaQhzlsKMH0+OPOFv/bMqcLarPw1V1sOV1bl4W9vi2278niblzI\n" + "bEHt7nN888p4KNIwqCcXaGhbtS4tjn3NKI6v1d2XRyxIvCJDjgoZ09zF39Pyoe92\n" + "sSRikZh7xns4tQEQ8BCs4o5NBSx8UxEsgyzNSskWGEWqsIjt+7+A1skDDZv6k2o8\n" + "VCHNbTLFKS7d72wMI4ErpzVsBIicxaG2ezuMBBuqThxIiJ+G9zfoP9lxim/9rvJA\n" + "xbh3nujA1VJfkOYTJIojEAYCxR3QjEoGdapJmBle97AfqEBnwoJsu2wav8h9v+po\n" + "DL4h6dRzRUxY1DHypcFlXGoHu/REQgFLq2IN30/AhQLN90Pj9TT2RQECAwEAAaOC\n" + "AUIwggE+MB0GA1UdDgQWBBSRnjtEbD1XnEJ3KjTXT9HMSpcs2jAfBgNVHSMEGDAW\n" "gBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud\n" "DwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF\n" "BwMJMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln\n" "aWNlcnQuY29tMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0\n" "LmNvbS9PbW5pcm9vdDIwMjUuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsG\n" "AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEB\n" - "CwUAA4IBAQA+8s8wpXq/HmrfOVgYKDzDne7ngcVL/Gf2vx9ON9re8K/uivkDe2Bn\n" - "dMc72v8rSuv9VHUTi+XCgRK6UhIguimKOs1DJMzVFwX+nBY/c+BtQcB2PfKrSMVZ\n" - "YmS6RE8KGII/Qeo/GDpY56AwV3X10WoxFLaUmWXatugB3uSr+7Xz5RkKGF+kAlfe\n" - "tlwmb3P+Lgn1CEPED8ckf50oZ2Wh3FvwOv34cIXnpU8k3kI/HUQ7XYUGhR0eHNTZ\n" - "TlHk/R4RFsyeANmXGpfjZceGNRtTdr4y0SxBSUujPpMMW3dXBzA8NYuM0WmiJ/pV\n" - "6KudEB7RF9+6bInTyVvXC5SIqdi0ldeO\n" + "CwUAA4IBAQBsf+pqb89rW8E0rP/cDuB9ixMX4C9OWQ7EA7n0BSllR64ZmuhU9mTV\n" + "2L0G4HEiGXvOmt15i99wJ0ho2/dvMxm1ZeufkAfMuEc5fQ9RE5ENgNR2UCuFB2Bt\n" + "bVmaKUAWxscN4GpXS4AJv+/HS0VXs5Su19J0DA8Bg+lo8ekCl4dq2G1m1WsCvFBI\n" + "oLIjd4neCLlGoxT2jA43lj2JpQ/SMkLkLy9DXj/JHdsqJDR5ogcij4VIX8V+bVD0\n" + "NCw7kQa6Ulq9Zo0jDEq1at4zSeH4mV2PMM3LwIXBA2xo5sda1cnUWJo3Pq4uMgcL\n" + "e0t+fCut38NMkTl8F0arflspaqUVVUov\n" "-----END CERTIFICATE-----\n"); - cm[RawCertificateID::MICROSOFT_IM_CA].raw_base64 = raw_base64; - cm[RawCertificateID::MICROSOFT_IM_CA].certPtr = createCert(raw_base64); + cm[RawCertificateID::MS_IT_TLS_CA_2].raw_base64 = raw_base64; + cm[RawCertificateID::MS_IT_TLS_CA_2].certPtr = createCert(raw_base64); } - // DIGICERT_ROOT_CA, (root CA), expires 10 Nov 2031 + // Baltimore CyberTrust Root, (root CA), expires May 13, 2025 { std::string raw_base64 = std::string( "-----BEGIN CERTIFICATE-----\n" - "MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs\n" - "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" - "d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j\n" - "ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL\n" - "MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3\n" - "LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug\n" - "RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm\n" - "+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW\n" - "PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM\n" - "xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB\n" - "Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3\n" - "hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg\n" - "EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF\n" - "MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA\n" - "FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec\n" - "nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z\n" - "eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF\n" - "hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2\n" - "Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe\n" - "vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep\n" - "+OkuE6N36B9K\n" + "MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ\n" + "RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD\n" + "VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX\n" + "DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y\n" + "ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy\n" + "VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr\n" + "mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr\n" + "IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK\n" + "mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu\n" + "XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy\n" + "dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye\n" + "jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1\n" + "BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3\n" + "DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92\n" + "9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx\n" + "jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0\n" + "Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz\n" + "ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS\n" + "R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp\n" "-----END CERTIFICATE-----\n"); - cm[RawCertificateID::DIGICERT_ROOT_CA].raw_base64 = raw_base64; - cm[RawCertificateID::DIGICERT_ROOT_CA].certPtr = createCert(raw_base64); + cm[RawCertificateID::BALTIMORE_CYBER_TRUST_ROOT].raw_base64 = raw_base64; + cm[RawCertificateID::BALTIMORE_CYBER_TRUST_ROOT].certPtr = createCert(raw_base64); } - // DIGICERT_IM_CA, signed by DIGICERT_ROOT_CA, expires 22 Oct 2028 + // Microsoft IT TLS CA 4, signed by Baltimore CyberTrust Root, expires May 20, 2024 { std::string raw_base64 = std::string( "-----BEGIN CERTIFICATE-----\n" - "MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs\n" - "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" - "d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j\n" - "ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL\n" - "MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3\n" - "LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy\n" - "YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2\n" - "4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC\n" - "Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1\n" - "itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn\n" - "4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X\n" - "sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft\n" - "bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA\n" - "MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw\n" - "NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy\n" - "dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t\n" - "L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG\n" - "BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ\n" - "UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D\n" - "aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd\n" - "aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH\n" - "E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly\n" - "/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu\n" - "xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF\n" - "0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae\n" - "cPUeybQ=\n" + "MIIFtDCCBJygAwIBAgIQC2qzsD6xqfbEYJJqqM3+szANBgkqhkiG9w0BAQsFADBa\n" + "MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl\n" + "clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE2\n" + "MDUyMDEyNTIzOFoXDTI0MDUyMDEyNTIzOFowgYsxCzAJBgNVBAYTAlVTMRMwEQYD\n" + "VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy\n" + "b3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UE\n" + "AxMVTWljcm9zb2Z0IElUIFRMUyBDQSA0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n" + "MIICCgKCAgEAq+XrXaNrOZ71NIgSux1SJl19CQvGeY6rtw7fGbLd7g/27vRW5Ebi\n" + "kg/iZwvjHHGk1EFztMuZFo6/d32wrx5s7XEuwwh3Sl6Sruxa0EiB0MXpoPV6jx6N\n" + "XtOtksDaxpE1MSC5OQTNECo8lx0AnpkYGAnPS5fkyfwA8AxanTboskDBSqyEKKo9\n" + "Rhgrp4qs9K9LqH5JQsdiIMDmpztd65Afu4rYnJDjOrFswpTOPjJry3GzQS65xeFd\n" + "2FkngvvhSA1+6ATx+QEnQfqUWn3FMLu2utcRm4j6AcxuS5K5+Hg8y5xomhZmiNCT\n" + "sCqDLpcRHX6BIGHksLmbnG5TlZUixtm9dRC62XWMPD8d0Jb4M0V7ex9UM+VIl6cF\n" + "JKLb0dyVriAqfZaJSHuSetAksd5IEfdnPLTf+Fhg9U97NGjm/awmCLbzLEPbT8QW\n" + "0JsMcYexB2uG3Y+gsftm2tjL6fLwZeWO2BzqL7otZPFe0BtQsgyFSs87yC4qanWM\n" + "wK5c2enAfH182pzjvUqwYAeCK31dyBCvLmKM3Jr94dm5WUiXQhrDUIELH4Mia+Sb\n" + "vCkigv2AUVx1Xw41wt1/L3pnnz2OW4y7r530zAz7qB+dIcHz51IaXc4UV21QuEnu\n" + "sQsn0uJpJxJuxsAmPuekKxuLUzgG+hqHOuBLf5kWTlk9WWnxcadlZRsCAwEAAaOC\n" + "AUIwggE+MB0GA1UdDgQWBBR6e4zBz+egyhzUa/r74TPDDxqinTAfBgNVHSMEGDAW\n" + "gBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud\n" + "DwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF\n" + "BwMJMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln\n" + "aWNlcnQuY29tMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0\n" + "LmNvbS9PbW5pcm9vdDIwMjUuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsG\n" + "AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEB\n" + "CwUAA4IBAQAR/nIGOiEKN27I9SkiAmKeRQ7t+gaf77+eJDUX/jmIsrsB4Xjf0YuX\n" + "/bd38YpyT0k66LMp13SH5LnzF2CHiJJVgr3ZfRNIfwaQOolm552W95XNYA/X4cr2\n" + "du76mzVIoZh90pMqT4EWx6iWu9El86ZvUNoAmyqo9DUA4/0sO+3lFZt/Fg/Hjsk2\n" + "IJTwHQG5ElBQmYHgKEIsjnj/7cae1eTK6aCqs0hPpF/kixj/EwItkBE2GGYoOiKa\n" + "3pXxWe6fbSoXdZNQwwUS1d5ktLa829d2Wf6l1uVW4f5GXDuK+OwO++8SkJHOIBKB\n" + "ujxS43/jQPQMQSBmhxjaMmng9tyPKPK9\n" "-----END CERTIFICATE-----\n"); - cm[RawCertificateID::DIGICERT_IM_CA].raw_base64 = raw_base64; - cm[RawCertificateID::DIGICERT_IM_CA].certPtr = createCert(raw_base64); + cm[RawCertificateID::MS_IT_TLS_CA_4].raw_base64 = raw_base64; + cm[RawCertificateID::MS_IT_TLS_CA_4].certPtr = createCert(raw_base64); } - // FACEBOOK_COM, *.facebook.com - signed by DIGICERT_IM_CA, expires 22 Mar 2019 + // www.microsoft.com - signed by Microsoft IT TLS CA 4, expires January 16, 2020 { std::string raw_base64 = std::string( "-----BEGIN CERTIFICATE-----\n" - "MIIGsjCCBZqgAwIBAgIQCzw7YBoY9Z7itrsFYF7ywDANBgkqhkiG9w0BAQsFADBw\n" - "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" - "d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz\n" - "dXJhbmNlIFNlcnZlciBDQTAeFw0xNzEyMTUwMDAwMDBaFw0xOTAzMjIxMjAwMDBa\n" - "MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpN\n" - "ZW5sbyBQYXJrMRcwFQYDVQQKEw5GYWNlYm9vaywgSW5jLjEXMBUGA1UEAwwOKi5m\n" - "YWNlYm9vay5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASIA87IjqqM6JBX\n" - "puN20BXCVsDjoP9wnF2rSV60qC130oLTrgfOQ3Uk1dv1R6LFCx4gs2pJUu6iDKBS\n" - "/b+BXOUbo4IEGDCCBBQwHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjsw\n" - "HQYDVR0OBBYEFMD9dPV9y8Yn8QPTYqJF14QcFSEIMIHHBgNVHREEgb8wgbyCDiou\n" - "ZmFjZWJvb2suY29tgg4qLnh4LmZiY2RuLm5ldIILKi5mYnNieC5jb22CDioueHou\n" - "ZmJjZG4ubmV0gg4qLmZhY2Vib29rLm5ldIIOKi54eS5mYmNkbi5uZXSCDyoubWVz\n" - "c2VuZ2VyLmNvbYIGZmIuY29tggsqLmZiY2RuLm5ldIIIKi5mYi5jb22CECoubS5m\n" - "YWNlYm9vay5jb22CDW1lc3Nlbmdlci5jb22CDGZhY2Vib29rLmNvbTAOBgNVHQ8B\n" - "Af8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRu\n" - "MGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZl\n" - "ci1nNi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWhh\n" - "LXNlcnZlci1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEF\n" - "BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwgYMG\n" - "CCsGAQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu\n" - "Y29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln\n" - "aUNlcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA\n" - "MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY\n" - "BPkb37jjd80OyA3cEAAAAWBXnEHoAAAEAwBHMEUCIBC3Rn4i2bhLyR344u3vl7be\n" - "vxoi+WPJBhGT+j1gJmg5AiEAwQ3rzH1mmMSYNYKtVNDZMo+l6e8Z35t+X9NDR7Du\n" - "gWAAdwCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWBXnEL7AAAE\n" - "AwBIMEYCIQCRjvvPARW3J1ENmo2Nz1cxisa1BcbDuqvSrfuXkz8btAIhAPmllqgF\n" - "8JjlVHUChiFzghsKVBeTxRagi55tgsAciaoZAHUAu9nfvB+KcbWTlCOXqpJ7RzhX\n" - "lQqrUugakJZkNo4e0YUAAAFgV5xCUgAABAMARjBEAiBY6qdNgMoQAqVTl3zRrTmy\n" - "+X/1f/esBUczsb3MWdZ1ZgIgXdxZNTrDBgyTzxgbVRObkqU3tZZdaiwsw4WI0xI0\n" - "BtQwDQYJKoZIhvcNAQELBQADggEBAGu0uxZD+IRXXlFWLPvknRkXA7J08NyVKG70\n" - "M2vDi2xF2YB8qlZgoxW8YiiV86IpwtOhYLZinSO0iCBDQmTf627LTPfuDcF6qOuO\n" - "WFTvj1IbplPvGWIu5tNBiFWNQxFAIL2Rf+5vmIe+YezUHTLGGqwRtFa2ImS17IMk\n" - "YjZ90LYXXO5qb1RKkFJtAvEBTbJsv8kr+J6Rx+YNJy17LnBX+MbWiyBbvUQoM3sY\n" - "MmcWmcaQmECz9ZHWYjZeufSHbHKG6KDYLU8x6DyhgtxK2rsoIMlNnJkNHaLjw+b8\n" - "7VCYa+EMWppvVuNyXOk9Jkbx7Q3SEoodT77kkHUX0bF2OkZy6cc=\n" + "MIIHnzCCBYegAwIBAgITFgAAoiZScXH3VKzEFgAAAACiJjANBgkqhkiG9w0BAQsF\n" + "ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT\n" + "B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE\n" + "CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDQw\n" + "HhcNMTgwMTE2MjEyNDAyWhcNMjAwMTE2MjEyNDAyWjCBiDELMAkGA1UEBhMCVVMx\n" + "CzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv\n" + "ZnQgQ29ycG9yYXRpb24xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEa\n" + "MBgGA1UEAxMRd3d3Lm1pY3Jvc29mdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "DwAwggEKAoIBAQDM6uKEPBupNS4BXRWdhU6RzawVP27lFo4eiAOloEHaXYM1DoPU\n" + "Jxxt+uyhwkk8yIZFKLK9AKX0qtqTVFOh3TFk77uGJKlfyugpVs+5sGGffhd0y2cG\n" + "SyOltJLcf/v31tRjeN/xNi9CeHtcK46ksqgp9kdTDd1IuxDO9fN45LRPZkRuOpNy\n" + "yXAHlMyVDO4Xfgt8CYH/ssmr1ZqYr98dO9iAiU+eFrz6huBCAJfFzMXWznbpwrsd\n" + "41TjE5zPJkHaB9BOKuLZySfEQhIRewexFtJXlT88Kj6SfIoe2naZxqDW/tQVVzRx\n" + "ID092mXdVEjL2MZ6GocNk1pPezqY8wOUjgA7AgMBAAGjggL7MIIC9zCBmQYDVR0R\n" + "BIGRMIGOghVwcml2YWN5Lm1pY3Jvc29mdC5jb22CEWMucy1taWNyb3NvZnQuY29t\n" + "gg1taWNyb3NvZnQuY29tghFpLnMtbWljcm9zb2Z0LmNvbYIYc3RhdGljdmlldy5t\n" + "aWNyb3NvZnQuY29tghF3d3cubWljcm9zb2Z0LmNvbYITd3d3cWEubWljcm9zb2Z0\n" + "LmNvbTAdBgNVHQ4EFgQUMqJLlf7sAXZDo1IX+BIPkeyx9OcwHwYDVR0jBBgwFoAU\n" + "enuMwc/noMoc1Gv6++Ezww8aop0wgawGA1UdHwSBpDCBoTCBnqCBm6CBmIZLaHR0\n" + "cDovL21zY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0\n" + "JTIwSVQlMjBUTFMlMjBDQSUyMDQuY3JshklodHRwOi8vY3JsLm1pY3Jvc29mdC5j\n" + "b20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDQu\n" + "Y3JsMIGFBggrBgEFBQcBAQR5MHcwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWlj\n" + "cm9zb2Z0LmNvbS9wa2kvbXNjb3JwL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0El\n" + "MjA0LmNydDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AubXNvY3NwLmNvbTA+Bgkr\n" + "BgEEAYI3FQcEMTAvBicrBgEEAYI3FQiH2oZ1g+7ZAYLJhRuBtZ5hhfTrYIFdhNLf\n" + "QoLnk3oCAWQCARowHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAsGA1Ud\n" + "DwQEAwIEsDBNBgNVHSAERjBEMEIGCSsGAQQBgjcqATA1MDMGCCsGAQUFBwIBFido\n" + "dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcHMwJwYJKwYBBAGC\n" + "NxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC\n" + "AgEAZQDBGHkYWARoiApsKcns0lfEuovFuh9CQ3ZMVTDjDhvls0IcuddtEvETXdB+\n" + "h8+vgIx4jC7SmsRrpEH28X06qEZCMd1vPP/rEI9ZYwAnzabB/HRkGsPHv/hkjVbh\n" + "csqYVkPyD9MYc+cgRE0Nggh+l2fIuSxrMvFw0iLsE/7ZkyiZFWfLkddu/be7gjoY\n" + "IbNyS6E2HQkHlexz9QBUMHERUYBuqey+c1l45WTgLJUWsqeIZJ01oekLkdkR4tg1\n" + "pZbnFjDeRBqFLnUU1RMHlgKodJYPMzBCkZGRk0mCZJDJcZv62HNdT/Zuz4yHLz6K\n" + "QcjpVZacYyqeBBqJtus5zSJKP8l9MqZYbihsmAlXZdeXPwiB+YEeGGEGi2iDV39e\n" + "Ss6rPCL1BYZ5kvfoBdSfTAPmviK4ezCUuBL/k4YulsrquoAC/Sz+xFVEBK+qdYXc\n" + "zxgFMxXnx6XjxkKGYrf33g6e/9XexHsyWolQhrmbZE3GrTmH9hbqh0bg+95qhk0o\n" + "q+iDWy3Lj5ZnexabBg/r+szxTNmPp0LIvMcM1YW9hkAyDYuDSB0Yee/p+ByJUeMI\n" + "T55F/YO/Qtqc7Z2vNvnq/229nly2lg8AVwDliH30hloIffEXMY3xJWwDUG6Uj++g\n" + "+838tBwUOF9wrBIwh9pI8EQLW9HUROzSg8ALy7tgVWuowFo=\n" "-----END CERTIFICATE-----\n"); - cm[RawCertificateID::FACEBOOK_COM].raw_base64 = raw_base64; - cm[RawCertificateID::FACEBOOK_COM].certPtr = createCert(raw_base64); + cm[RawCertificateID::MICROSOFT_COM].raw_base64 = raw_base64; + cm[RawCertificateID::MICROSOFT_COM].certPtr = createCert(raw_base64); } return cm; diff --git a/src/ckm/unprivileged/CMakeLists.txt b/src/ckm/unprivileged/CMakeLists.txt index 6efdfbe..14a8973 100644 --- a/src/ckm/unprivileged/CMakeLists.txt +++ b/src/ckm/unprivileged/CMakeLists.txt @@ -23,6 +23,7 @@ SET(CKM_SOURCES capi-testcases.cpp encryption-decryption-env.cpp encryption-decryption.cpp + sign-verify.cpp main.cpp ) diff --git a/src/ckm/unprivileged/capi-testcases.cpp b/src/ckm/unprivileged/capi-testcases.cpp index 95d2a32..0e0cfca 100644 --- a/src/ckm/unprivileged/capi-testcases.cpp +++ b/src/ckm/unprivileged/capi-testcases.cpp @@ -779,11 +779,8 @@ RUNNER_TEST(T3044_remove_bin_data_C_API) RUNNER_TEST(T3045_save_big_data_C_API, RemoveDataEnv) { -#ifdef TZ_BACKEND + // We don't know which backend will be used const size_t BIG_SIZE = 100000; -#else - const size_t BIG_SIZE = 5000000; -#endif std::vector big_data(BIG_SIZE); std::ifstream is("/dev/urandom", std::ifstream::binary); diff --git a/src/ckm/unprivileged/encryption-decryption.cpp b/src/ckm/unprivileged/encryption-decryption.cpp index 76f1c92..c183c81 100644 --- a/src/ckm/unprivileged/encryption-decryption.cpp +++ b/src/ckm/unprivileged/encryption-decryption.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,12 +22,12 @@ #include #include -#include -#include +#include #include #include #include +#include #include #include #include @@ -57,24 +57,6 @@ EncryptionError apiEncrypt(ckmc_param_list_h params, return g_api->encrypt(params, key_alias, password, decrypted, ppencrypted); } -// Policy backend to use in subsequent operations (global for each test case) -PolicyBackend g_backend = PolicyBackend::DEFAULT; - -class testBackend { -public: - testBackend(PolicyBackend backend){ - m_backend = g_backend; - g_backend = backend; - } - - virtual ~testBackend(){ - //restore in destructor - g_backend = m_backend; - } -private: - PolicyBackend m_backend; -}; - inline CKM::Password _tostring(const char *str) { return (str == nullptr) ? Password() : Password(str); @@ -127,167 +109,184 @@ struct KeyAliasPair Alias pub; }; -class EncEnv : public RemoveDataEnv { -public: - EncEnv() : m_dbu(NULL) {} - ~EncEnv() { delete m_dbu; } - - void init(const std::string& str) { - RemoveDataEnv::init(str); - m_dbu = new ScopedDBUnlock(UID, "db-pass"); // unlock user's database +struct SyncEnv { + void init(const std::string&) { + g_api = &g_syncApi; } void finish() { - delete m_dbu; - m_dbu = NULL; - RemoveDataEnv::finish(); - g_api = NULL; - } - - ScopedDBUnlock* m_dbu; -}; - -struct SyncEnv : public EncEnv { - void init(const std::string& str) { - EncEnv::init(str); - g_api = &g_syncApi; + g_api = nullptr; } static std::string suffix() { return "_sync"; } }; -struct AsyncEnv : public EncEnv { - void init(const std::string& str) { - EncEnv::init(str); +struct AsyncEnv { + void init(const std::string&) { g_api = &g_asyncApi; } + void finish() { + g_api = nullptr; + } + static std::string suffix() { return "_async"; } }; -struct AlgoBase { - ckmc_algo_type_e m_type; - size_t m_keyLen; - - AlgoBase(ckmc_algo_type_e type, size_t keyLen) : m_type(type), m_keyLen(keyLen) {} - - virtual KeyAliasPair keyGen(const char* pass = nullptr, const char* suffix = nullptr) = 0; +struct Algo { + ckmc_algo_type_e type; + size_t keyLen; }; -typedef std::shared_ptr AlgoBasePtr; +std::unordered_map> g_symKeys; +std::unordered_map> g_asymKeys; -template -AlgoBasePtr createAlgo(ckmc_algo_type_e type, size_t keyLen) { - return AlgoBasePtr(new T(type, keyLen)); -} +enum KeyIdx { + PRIMARY = 0, + PASSWORD_PROTECTED = 1, -struct AlgoAes : public AlgoBase { - AlgoAes(ckmc_algo_type_e type, size_t keyLen) : AlgoBase(type, keyLen) {} - KeyAliasPair keyGen(const char* pass = nullptr, const char* suffix = nullptr); + KEY_IDX_MAX }; -KeyAliasPair AlgoAes::keyGen(const char* pass, const char* suffix) -{ - KeyAliasPair aliases; - std::ostringstream oss; - std::string ownerId = getOwnerIdFromSelf(); - CharPtr passPtr(nullptr, free); - if (pass) - passPtr.reset(strdup(pass)); +RawBufferPtr PLAIN_DATA; +RawBufferPtr BIG_DATA; +ckmc_raw_buffer_s* DEFAULT_IV; +ckmc_raw_buffer_s* IV11; +ckmc_raw_buffer_s* IV12; +ckmc_raw_buffer_s* IV15; +ckmc_raw_buffer_s* IV17; +ckmc_raw_buffer_s* IV128; +ckmc_raw_buffer_s* AAD32; +ckmc_raw_buffer_s* AAD64; - oss << "aes_" << static_cast(m_type) << "_" << m_keyLen << "_key_alias"; - if (suffix) - oss << suffix; - aliases.prv = aliasWithLabel(ownerId.c_str(),oss.str().c_str()); - aliases.pub = aliasWithLabel(ownerId.c_str(), oss.str().c_str()); +KeyAliasPair getKey(const Algo& algo, KeyIdx idx) +{ + if (algo.type == CKMC_ALGO_RSA_OAEP) + return g_asymKeys[algo.keyLen][idx]; - ckmc_policy_s policy; - policy.extractable = false; - policy.password = passPtr.get(); + KeyAliasPair pair; + pair.prv = g_symKeys[algo.keyLen][idx]; + pair.pub = pair.prv; + return pair; +} - auto mgr = CKM::Manager::create(); - RUNNER_ASSERT_MSG(CKM_API_SUCCESS == mgr->createKeyAES(m_keyLen, Alias(aliases.prv.c_str()), - _toCkmPolicy(policy, g_backend)), - "AES key creation failed"); +class EncGroupFixture: public DPL::Test::TestGroup +{ +public: + void Init() override + { + remove_user_data(UID); + int ret = ckmc_unlock_user_key(UID, "db-pass"); + if (ret != CKMC_ERROR_NONE) + RUNNER_ERROR_MSG("DB unlock failed: " << CKMCErrorToString(ret)); + + // Policy backend to use in subsequent operations (global for each test case) +#ifdef TZ_BACKEND + m_backend = PolicyBackend::FORCE_HARDWARE; +#else + m_backend = PolicyBackend::FORCE_SOFTWARE; +#endif + + // generate keys + m_manager = Manager::create(); + generateSymmetricKeys(128); + generateSymmetricKeys(192); + generateSymmetricKeys(256); + generateRsaKeys(1024); + generateRsaKeys(2048); + generateRsaKeys(4096); + + PLAIN_DATA = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); +#ifdef TZ_BACKEND + BIG_DATA = create_raw_buffer(createRandomBufferCAPI(1000)); +#else + BIG_DATA = create_raw_buffer(createRandomBufferCAPI(5000000)); +#endif + DEFAULT_IV = createRandomBufferCAPI(DEFAULT_IV_LEN); + IV11 = createRandomBufferCAPI(11); + IV12 = createRandomBufferCAPI(12); + IV15 = createRandomBufferCAPI(15); + IV17 = createRandomBufferCAPI(17); + IV128 = createRandomBufferCAPI(128); + AAD32 = createRandomBufferCAPI(32); + AAD64 = createRandomBufferCAPI(64); + } - return aliases; -} + void generateSymmetricKeys(size_t bitLen) + { + for (int i = 0; i < KEY_IDX_MAX; i++) + { + Policy p(Password(), false, m_backend); + if (i == PASSWORD_PROTECTED) + p.password.assign(PASSWORD); + + std::string alias = std::string("skey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i); + int ret = m_manager->createKeyAES(bitLen, alias, p); + if (ret != CKM_API_SUCCESS) + RUNNER_ERROR_MSG("AES key creation failed"); + + g_symKeys[bitLen].push_back(alias); + } + } -struct AlgoRsa : public AlgoBase { - AlgoRsa(ckmc_algo_type_e type, size_t keyLen) : AlgoBase(type, keyLen) {} - KeyAliasPair keyGen(const char* pass = nullptr, const char* suffix = nullptr); -}; + void generateRsaKeys(size_t bitLen) + { + for (int i = 0; i < KEY_IDX_MAX; i++) + { + Policy prvPolicy(Password(), false, m_backend); + Policy pubPolicy(Password(), true, m_backend); + if (i == PASSWORD_PROTECTED) { + prvPolicy.password.assign(PASSWORD); + pubPolicy.password.assign(PASSWORD); + } + + KeyAliasPair alias; + alias.prv = std::string("akey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i); + alias.pub = std::string("pub") + alias.prv; + int ret = m_manager->createKeyPairRSA(bitLen, alias.prv, alias.pub, prvPolicy, pubPolicy); + if (ret != CKM_API_SUCCESS) + RUNNER_ERROR_MSG("RSA key creation failed"); + + g_asymKeys[bitLen].push_back(alias); + } + } -KeyAliasPair AlgoRsa::keyGen(const char* pass, const char* suffix) -{ - std::ostringstream oss_prv, oss_pub; - oss_prv << "rsa_oaep_prv_alias_" << m_keyLen; - oss_pub << "rsa_oaep_pub_alias_" << m_keyLen; - if (suffix) { - oss_prv << suffix; - oss_pub << suffix; + void Finish() override + { + for (const auto &entry : g_asymKeys) { + for (const auto &keyPair : entry.second) { + m_manager->removeAlias(keyPair.prv); + m_manager->removeAlias(keyPair.pub); + } + } + + for (const auto &entry : g_symKeys) { + for (const auto &key : entry.second) { + m_manager->removeAlias(key); + } + } + + BIG_DATA.reset(); + PLAIN_DATA.reset(); + ckmc_buffer_free(AAD64); + ckmc_buffer_free(AAD32); + ckmc_buffer_free(IV128); + ckmc_buffer_free(IV17); + ckmc_buffer_free(IV15); + ckmc_buffer_free(IV12); + ckmc_buffer_free(IV11); + ckmc_buffer_free(DEFAULT_IV); + + int ret = ckmc_lock_user_key(UID); + if (ret != CKMC_ERROR_NONE) + RUNNER_ERROR_MSG("DB lock failed: " << CKMCErrorToString(ret)); + remove_user_data(UID); } - KeyAliasPair aliases = { - aliasWithLabel(getOwnerIdFromSelf().c_str(), oss_prv.str().c_str()), - aliasWithLabel(getOwnerIdFromSelf().c_str(), oss_pub.str().c_str()) - }; - CharPtr passPtr(nullptr, free); - if (pass) - passPtr.reset(strdup(pass)); - - ckmc_policy_s policyPrv; - policyPrv.password = passPtr.get(); - policyPrv.extractable = 0; - - ckmc_policy_s policyPub; - policyPub.password = passPtr.get(); - policyPub.extractable = 0; - - auto mgr = CKM::Manager::create(); - - RUNNER_ASSERT_MSG(CKM_API_SUCCESS == mgr->createKeyPairRSA(static_cast(m_keyLen), - CKM::Alias(aliases.prv.c_str()), - CKM::Alias(aliases.pub.c_str()), - _toCkmPolicy(policyPrv, g_backend), - _toCkmPolicy(policyPub, g_backend)), "RSA key pair generation failed" ); - return aliases; -} - -enum Algorithm { - AES_CBC_128, - AES_CBC_192, - AES_CBC_256, - AES_GCM_128, - AES_GCM_192, - AES_GCM_256, - AES_CTR_128, - AES_CTR_192, - AES_CTR_256, - AES_CFB_128, - AES_CFB_192, - AES_CFB_256, - RSA_OAEP_1024, - RSA_OAEP_2048, - RSA_OAEP_4096, +private: + ManagerShPtr m_manager; + PolicyBackend m_backend; }; -std::map g_algorithms = { - { AES_CBC_128, createAlgo(CKMC_ALGO_AES_CBC, 128) }, - { AES_CBC_192, createAlgo(CKMC_ALGO_AES_CBC, 192) }, - { AES_CBC_256, createAlgo(CKMC_ALGO_AES_CBC, 256) }, - { AES_GCM_128, createAlgo(CKMC_ALGO_AES_GCM, 128) }, - { AES_GCM_192, createAlgo(CKMC_ALGO_AES_GCM, 192) }, - { AES_GCM_256, createAlgo(CKMC_ALGO_AES_GCM, 256) }, - { AES_CTR_128, createAlgo(CKMC_ALGO_AES_CTR, 128) }, - { AES_CTR_192, createAlgo(CKMC_ALGO_AES_CTR, 192) }, - { AES_CTR_256, createAlgo(CKMC_ALGO_AES_CTR, 256) }, - { AES_CFB_128, createAlgo(CKMC_ALGO_AES_CFB, 128) }, - { AES_CFB_192, createAlgo(CKMC_ALGO_AES_CFB, 192) }, - { AES_CFB_256, createAlgo(CKMC_ALGO_AES_CFB, 256) }, - { RSA_OAEP_1024, createAlgo(CKMC_ALGO_RSA_OAEP, 1024) }, - { RSA_OAEP_2048, createAlgo(CKMC_ALGO_RSA_OAEP, 2048) }, - { RSA_OAEP_4096, createAlgo(CKMC_ALGO_RSA_OAEP, 4096) }, -}; void setParam(ParamListPtr& params, ckmc_param_name_e name, ckmc_raw_buffer_s* buffer) { @@ -311,18 +310,18 @@ struct EncryptionResult Alias pubKey; }; -EncryptionResult encrypt(const AlgoBasePtr& algo, +EncryptionResult encrypt(const Algo& algo, const RawBufferPtr& plain, const char* pass = nullptr) { EncryptionResult ret; ckmc_raw_buffer_s* encrypted = nullptr; - KeyAliasPair aliases = algo->keyGen(pass); + KeyAliasPair aliases = getKey(algo, pass == nullptr ? PRIMARY : PASSWORD_PROTECTED); ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ret.params = ParamListPtr(handle, ckmc_param_list_free); - setParam(ret.params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN)); + setParam(ret.params, CKMC_PARAM_ED_IV, DEFAULT_IV); assert_crypto_positive(apiEncrypt, ret.params.get(), @@ -338,48 +337,55 @@ EncryptionResult encrypt(const AlgoBasePtr& algo, } void testAllAlgorithms( - const std::function& test) -{ - for(const auto& it : g_algorithms) - test(it.second); -} - -void testNoIvEnc(Algorithm type) + const std::function& test) +{ + test( { CKMC_ALGO_AES_CBC, 128 }); + test( { CKMC_ALGO_AES_CBC, 192 }); + test( { CKMC_ALGO_AES_CBC, 256 }); + test( { CKMC_ALGO_AES_GCM, 128 }); + test( { CKMC_ALGO_AES_GCM, 192 }); + test( { CKMC_ALGO_AES_GCM, 256 }); + test( { CKMC_ALGO_AES_CTR, 128 }); + test( { CKMC_ALGO_AES_CTR, 192 }); + test( { CKMC_ALGO_AES_CTR, 256 }); + test( { CKMC_ALGO_AES_CFB, 128 }); + test( { CKMC_ALGO_AES_CFB, 192 }); + test( { CKMC_ALGO_AES_CFB, 256 }); + test( { CKMC_ALGO_RSA_OAEP, 1024 }); + test( { CKMC_ALGO_RSA_OAEP, 2048 }); + test( { CKMC_ALGO_RSA_OAEP, 4096 }); +} + +void testNoIvEnc(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* encrypted = nullptr; // add key - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); // param list with algo type only ParamListPtr params = createParamListPtr(); - setParam(params, CKMC_PARAM_ALGO_TYPE, algo->m_type); + setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type); assert_crypto_invalid_param(apiEncrypt, params.get(), aliases.pub.c_str(), nullptr, - *plain.get(), + *PLAIN_DATA.get(), &encrypted); } -void testNoIvDec(Algorithm type) +void testNoIvDec(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // encrypt; - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); // param list with algo type only ParamListPtr params = createParamListPtr(); - setParam(params, CKMC_PARAM_ALGO_TYPE, algo->m_type); + setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type); assert_crypto_invalid_param(apiDecrypt, params.get(), ret.prvKey.c_str(), @@ -388,20 +394,17 @@ void testNoIvDec(Algorithm type) &decrypted); } -void testInvalidIvEnc(Algorithm type) +void testInvalidIvEnc(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* encryptedTmp = nullptr; // add key - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); // setup params ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); // invalid encryption @@ -410,28 +413,25 @@ void testInvalidIvEnc(Algorithm type) params.get(), aliases.pub.c_str(), nullptr, - *plain.get(), + *PLAIN_DATA.get(), &encryptedTmp); ckmc_buffer_free(encryptedTmp); encryptedTmp = nullptr; }; // invalid iv size - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN-1)); + setParam(params, CKMC_PARAM_ED_IV, IV15); test(); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN+1)); + setParam(params, CKMC_PARAM_ED_IV, IV17); test(); }; -void testInvalidIvDec(Algorithm type) +void testInvalidIvDec(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // valid encryption - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); // decryption auto test2 = [&](){ @@ -446,40 +446,37 @@ void testInvalidIvDec(Algorithm type) }; // invalid iv size - setParam(ret.params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN-1)); + setParam(ret.params, CKMC_PARAM_ED_IV, IV15); test2(); - setParam(ret.params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN+1)); + setParam(ret.params, CKMC_PARAM_ED_IV, IV17); test2(); }; -void encryptionWithCustomData(Algorithm type, ckmc_param_name_e name) +void encryptionWithCustomData(const Algo& algo, ckmc_param_name_e name) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* encrypted = nullptr; ckmc_raw_buffer_s* decrypted = nullptr; // add key - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); // setup params ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN)); + setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV); // set AAD - setParam(params, name, createRandomBufferCAPI(64)); + setParam(params, name, AAD64); // encrypt assert_crypto_positive(apiEncrypt, params.get(), aliases.pub.c_str(), nullptr, - *plain.get(), + *PLAIN_DATA.get(), &encrypted); RawBufferPtr tmpEnc = create_raw_buffer(encrypted); @@ -493,12 +490,12 @@ void encryptionWithCustomData(Algorithm type, ckmc_param_name_e name) RawBufferPtr tmpDec = create_raw_buffer(decrypted); // check - assert_buffers_equal(*plain.get(), *tmpDec.get()); + assert_buffers_equal(*PLAIN_DATA.get(), *tmpDec.get()); tmpDec.reset(); decrypted = nullptr; // set wrong AAD - setParam(params, name, createRandomBufferCAPI(32)); + setParam(params, name, AAD32); // decrypt assert_crypto_result(EncryptionError::INVALID_PARAM, @@ -510,12 +507,11 @@ void encryptionWithCustomData(Algorithm type, ckmc_param_name_e name) &decrypted); } -void testGcmIvSize(size_t size, +void testGcmIvSize(ckmc_raw_buffer_s* iv, const KeyAliasPair& aliases, EncryptionError error = EncryptionError::SUCCESS) { // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); RawBufferPtr encrypted; RawBufferPtr decrypted; ckmc_raw_buffer_s* encryptedTmp = nullptr; @@ -525,8 +521,8 @@ void testGcmIvSize(size_t size, ckmc_param_list_h handle = NULL; assert_positive(ckmc_generate_new_params, CKMC_ALGO_AES_GCM, &handle); ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN)); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(size)); + setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV); + setParam(params, CKMC_PARAM_ED_IV, iv); // encryption assert_crypto_result(error, @@ -534,7 +530,7 @@ void testGcmIvSize(size_t size, params.get(), aliases.pub.c_str(), nullptr, - *plain.get(), + *PLAIN_DATA.get(), &encryptedTmp); if(error != EncryptionError::SUCCESS) @@ -550,19 +546,16 @@ void testGcmIvSize(size_t size, &decryptedTmp); decrypted = create_raw_buffer(decryptedTmp); - assert_buffers_equal(*plain.get(), *decrypted.get()); + assert_buffers_equal(*PLAIN_DATA.get(), *decrypted.get()); } -void testIntegrity(Algorithm type) +void testIntegrity(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // encrypt - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); // break the encrypted data ret.encrypted->data[BUF_LEN/2]++; @@ -576,25 +569,22 @@ void testIntegrity(Algorithm type) &decrypted); RawBufferPtr tmp = create_raw_buffer(decrypted); - assert_buffers_equal(*plain.get(), *decrypted, false); + assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false); } -void testCtrEncryptionInvalidLength(Algorithm type) +void testCtrEncryptionInvalidLength(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* encryptedTmp = nullptr; // add AES CTR key - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); // setup params ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN)); + setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV); // encryption auto test = [&](){ @@ -602,7 +592,7 @@ void testCtrEncryptionInvalidLength(Algorithm type) params.get(), aliases.pub.c_str(), nullptr, - *plain.get(), + *PLAIN_DATA.get(), &encryptedTmp); ckmc_buffer_free(encryptedTmp); encryptedTmp = nullptr; @@ -616,22 +606,19 @@ void testCtrEncryptionInvalidLength(Algorithm type) test(); } -void testCtrEncryptionValidLength(Algorithm type) +void testCtrEncryptionValidLength(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* encryptedTmp = nullptr; // add AES CTR key - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); // setup params ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN)); + setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV); // encryption auto test = [&](){ @@ -639,7 +626,7 @@ void testCtrEncryptionValidLength(Algorithm type) params.get(), aliases.pub.c_str(), nullptr, - *plain.get(), + *PLAIN_DATA.get(), &encryptedTmp); ckmc_buffer_free(encryptedTmp); encryptedTmp = nullptr; @@ -655,16 +642,13 @@ void testCtrEncryptionValidLength(Algorithm type) test(); } -void testCtrDecryptionInvalidLength(Algorithm type) +void testCtrDecryptionInvalidLength(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // add AES CTR key & encrypt - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); // decryption auto test = [&](){ @@ -686,16 +670,13 @@ void testCtrDecryptionInvalidLength(Algorithm type) test(); } -void testCtrDecryptionValidLength(Algorithm type) +void testCtrDecryptionValidLength(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // add AES CTR key & encrypt - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); // decryption auto test = [&](){ @@ -707,7 +688,7 @@ void testCtrDecryptionValidLength(Algorithm type) &decrypted); ckmc_buffer_free(decrypted); RawBufferPtr tmp = create_raw_buffer(decrypted); - assert_buffers_equal(*plain.get(), *decrypted); + assert_buffers_equal(*PLAIN_DATA.get(), *decrypted); }; // invalid counter size setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 1); @@ -720,22 +701,19 @@ void testCtrDecryptionValidLength(Algorithm type) test(); } -void testGcmEncryptionTagLen(Algorithm type) +void testGcmEncryptionTagLen(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* encryptedTmp = nullptr; // add AES GCM key - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); // setup params ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN)); + setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV); std::vector testData = { // illegal tag lengths @@ -749,9 +727,16 @@ void testGcmEncryptionTagLen(Algorithm type) { 116, EncryptionError::INVALID_PARAM }, { 124, EncryptionError::INVALID_PARAM }, { 256, EncryptionError::INVALID_PARAM }, +#ifdef TZ_BACKEND + { 32, EncryptionError::INVALID_PARAM }, + { 64, EncryptionError::INVALID_PARAM }, + // legal tag lengths +#else // legal tag lengths { 32, EncryptionError::SUCCESS }, { 64, EncryptionError::SUCCESS }, +#endif + { 96, EncryptionError::SUCCESS }, { 104, EncryptionError::SUCCESS }, { 112, EncryptionError::SUCCESS }, @@ -768,23 +753,20 @@ void testGcmEncryptionTagLen(Algorithm type) params.get(), aliases.pub.c_str(), nullptr, - *plain.get(), + *PLAIN_DATA.get(), &encryptedTmp); ckmc_buffer_free(encryptedTmp); encryptedTmp = nullptr; } } -void testGcmDecryptionTagLen(Algorithm type) +void testGcmDecryptionTagLen(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // add AES GCM key & encrypt - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); std::vector testData = { // illegal tag lengths @@ -825,16 +807,13 @@ void testGcmDecryptionTagLen(Algorithm type) } } -void testGcmWrongTag(Algorithm type) +void testGcmWrongTag(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // encrypt with AES GCM - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); // modify tag (last 16B of encrypted message) ret.encrypted->data[ret.encrypted->size-1]++; @@ -849,29 +828,24 @@ void testGcmWrongTag(Algorithm type) &decrypted); } -void testGcmDifferentIvSizes(Algorithm type) +void testGcmDifferentIvSizes(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // add AES GCM key - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); - testGcmIvSize(11, aliases, EncryptionError::SERVER_ERROR); // 12B is the smallest - testGcmIvSize(12, aliases); - testGcmIvSize(17, aliases); - testGcmIvSize(128, aliases); + testGcmIvSize(IV11, aliases, EncryptionError::SERVER_ERROR); // 12B is the smallest + testGcmIvSize(IV12, aliases); + testGcmIvSize(IV17, aliases); + testGcmIvSize(IV128, aliases); } -void testEncryptDecryptBigData(Algorithm type) +void testEncryptDecryptBigData(const Algo& algo) { - const AlgoBasePtr& algo = g_algorithms.at(type); - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(5000000)); ckmc_raw_buffer_s* decrypted = nullptr; // encrypt - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, BIG_DATA); assert_positive(apiDecrypt, ret.params.get(), @@ -881,53 +855,44 @@ void testEncryptDecryptBigData(Algorithm type) &decrypted); RawBufferPtr tmp = create_raw_buffer(decrypted); - assert_buffers_equal(*plain.get(), *decrypted); + assert_buffers_equal(*BIG_DATA.get(), *decrypted); } -void testEncryptDecryptDifferentKeys(Algorithm type, bool success) +void testEncryptDecryptDifferentKeys(const Algo& algo, bool success) { - const AlgoBasePtr& algo = g_algorithms.at(type); // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // encrypt - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); - // add different key - KeyAliasPair differentKeys = algo->keyGen(nullptr, "_wrong"); + // get different keys + KeyAliasPair differentKeys = getKey(algo, PASSWORD_PROTECTED); if (success) { // some algorithms don't verify key validity assert_crypto_positive(apiDecrypt, ret.params.get(), differentKeys.prv.c_str(), - nullptr, + PASSWORD, *ret.encrypted.get(), &decrypted); RawBufferPtr tmp = create_raw_buffer(decrypted); - assert_buffers_equal(*plain.get(), *decrypted, false); + assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false); } else { - assert_crypto_result(EncryptionError::INVALID_PARAM, + assert_crypto_result(EncryptionError::INVALID_PARAM, apiDecrypt, ret.params.get(), differentKeys.prv.c_str(), - nullptr, + PASSWORD, *ret.encrypted.get(), &decrypted); - } - - // Cleanup before testing next algorithm. Ignore results because not all keys are present - ckmc_remove_alias(ret.prvKey.c_str()); - ckmc_remove_alias(ret.pubKey.c_str()); - ckmc_remove_alias(differentKeys.prv.c_str()); - ckmc_remove_alias(differentKeys.pub.c_str()); + } } -void testRsaLongestData(Algorithm type, size_t dataSize) +void testRsaLongestData(const Algo& algo, size_t dataSize) { - const AlgoBasePtr& algo = g_algorithms.at(type); // prepare buffers RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize)); ckmc_raw_buffer_s* decrypted = nullptr; @@ -946,19 +911,18 @@ void testRsaLongestData(Algorithm type, size_t dataSize) assert_buffers_equal(*plain.get(), *decrypted); } -void testRsaDataTooLong(Algorithm type, size_t dataSize) +void testRsaDataTooLong(const Algo& algo, size_t dataSize) { - const AlgoBasePtr& algo = g_algorithms.at(type); // prepare buffers RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize)); // encrypt EncryptionResult ret; ckmc_raw_buffer_s* encrypted = nullptr; - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ret.params = ParamListPtr(handle, ckmc_param_list_free); assert_crypto_result(EncryptionError::INVALID_PARAM, apiEncrypt, @@ -971,8 +935,7 @@ void testRsaDataTooLong(Algorithm type, size_t dataSize) } // namespace anonymous - -RUNNER_TEST_GROUP_INIT(CKM_ENCRYPTION_DECRYPTION); +RUNNER_TEST_GROUP_INIT_ENV(CKM_ENCRYPTION_DECRYPTION, EncGroupFixture); ///////////////////////////////////////// // Generic encryption decryption tests @@ -980,20 +943,19 @@ RUNNER_TEST_GROUP_INIT(CKM_ENCRYPTION_DECRYPTION); RUNNER_TEST_MULTIPLE(TED_0010_encrypt_invalid_param_list, SyncEnv, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ + testAllAlgorithms([](const Algo& algo){ // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* encrypted = nullptr; // add key - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); // null param list assert_crypto_invalid_param(apiEncrypt, nullptr, aliases.pub.c_str(), nullptr, - *plain.get(), + *PLAIN_DATA.get(), &encrypted); // empty param list @@ -1002,49 +964,48 @@ RUNNER_TEST_MULTIPLE(TED_0010_encrypt_invalid_param_list, SyncEnv, AsyncEnv) params.get(), aliases.pub.c_str(), nullptr, - *plain.get(), + *PLAIN_DATA.get(), &encrypted); }); } RUNNER_TEST_MULTIPLE(TED_0020_encrypt_missing_key, SyncEnv, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ + testAllAlgorithms([](const Algo& algo){ // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* encrypted = nullptr; // setup params ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN)); + setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV); assert_crypto_result(EncryptionError::ALIAS_UNKNOWN, apiEncrypt, params.get(), "non-existing-key-alias", nullptr, - *plain.get(), + *PLAIN_DATA.get(), &encrypted); }); } RUNNER_TEST_MULTIPLE(TED_0030_encrypt_no_plain_text, SyncEnv, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ + testAllAlgorithms([](const Algo& algo){ // prepare buffers ckmc_raw_buffer_s plain = { nullptr, 0 }; ckmc_raw_buffer_s* encrypted = nullptr; // add key - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); // setup params ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN)); + setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV); assert_crypto_invalid_param(apiEncrypt, params.get(), @@ -1057,38 +1018,36 @@ RUNNER_TEST_MULTIPLE(TED_0030_encrypt_no_plain_text, SyncEnv, AsyncEnv) RUNNER_TEST_MULTIPLE(TED_0040_encrypt_no_output_buffer, SyncEnv, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ + testAllAlgorithms([](const Algo& algo){ // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s** encrypted = nullptr; // add key - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); // setup params ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN)); + setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV); assert_crypto_invalid_param(apiEncrypt, params.get(), aliases.pub.c_str(), nullptr, - *plain.get(), + *PLAIN_DATA.get(), encrypted); }); } RUNNER_TEST_MULTIPLE(TED_0110_decrypt_invalid_param_list, SyncEnv, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ + testAllAlgorithms([](const Algo& algo){ // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // encrypt; - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); // null param list assert_crypto_invalid_param(apiDecrypt, @@ -1111,22 +1070,18 @@ RUNNER_TEST_MULTIPLE(TED_0110_decrypt_invalid_param_list, SyncEnv, AsyncEnv) RUNNER_TEST_MULTIPLE(TED_0120_decrypt_missing_key, SyncEnv, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ + testAllAlgorithms([](const Algo& algo){ // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // encrypt - auto ret = encrypt(algo, plain); - - // remove key - assert_positive(ckmc_remove_alias, ret.prvKey.c_str()); + auto ret = encrypt(algo, PLAIN_DATA); // try to decrypt assert_crypto_result(EncryptionError::ALIAS_UNKNOWN, apiDecrypt, ret.params.get(), - ret.prvKey.c_str(), + "non-existent-key", nullptr, *ret.encrypted.get(), &decrypted); @@ -1135,19 +1090,19 @@ RUNNER_TEST_MULTIPLE(TED_0120_decrypt_missing_key, SyncEnv, AsyncEnv) RUNNER_TEST_MULTIPLE(TED_0130_decrypt_no_encrypted_text, SyncEnv, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ + testAllAlgorithms([](const Algo& algo){ // prepare buffers ckmc_raw_buffer_s encrypted = { nullptr, 0 }; ckmc_raw_buffer_s* decrypted = nullptr; // add key - KeyAliasPair aliases = algo->keyGen(); + KeyAliasPair aliases = getKey(algo, PRIMARY); // setup params ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN)); + setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV); assert_crypto_invalid_param(apiDecrypt, params.get(), @@ -1160,13 +1115,12 @@ RUNNER_TEST_MULTIPLE(TED_0130_decrypt_no_encrypted_text, SyncEnv, AsyncEnv) RUNNER_TEST_MULTIPLE(TED_0140_decrypt_no_output_buffer, SyncEnv, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ + testAllAlgorithms([](const Algo& algo){ // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s** decrypted = nullptr; // encrypt - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); assert_crypto_invalid_param(apiDecrypt, ret.params.get(), @@ -1179,33 +1133,28 @@ RUNNER_TEST_MULTIPLE(TED_0140_decrypt_no_output_buffer, SyncEnv, AsyncEnv) RUNNER_TEST_MULTIPLE(TED_0200_encrypt_decrypt_different_keys, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptDifferentKeys(AES_CBC_128, false); - testEncryptDecryptDifferentKeys(AES_CBC_192, false); - testEncryptDecryptDifferentKeys(AES_CBC_256, false); - testEncryptDecryptDifferentKeys(AES_GCM_128, false); - testEncryptDecryptDifferentKeys(AES_GCM_192, false); - testEncryptDecryptDifferentKeys(AES_GCM_256, false); - testEncryptDecryptDifferentKeys(AES_CTR_128, true); - testEncryptDecryptDifferentKeys(AES_CTR_192, true); - testEncryptDecryptDifferentKeys(AES_CTR_256, true); - testEncryptDecryptDifferentKeys(AES_CFB_128, true); - testEncryptDecryptDifferentKeys(AES_CFB_192, true); - testEncryptDecryptDifferentKeys(AES_CFB_256, true); - testEncryptDecryptDifferentKeys(RSA_OAEP_1024, false); - testEncryptDecryptDifferentKeys(RSA_OAEP_2048, false); - testEncryptDecryptDifferentKeys(RSA_OAEP_4096, false); + testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 128}, false); + testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 192}, false); + testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 256}, false); + testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 128}, true); + testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 192}, true); + testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 256}, true); + testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 128}, true); + testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 192}, true); + testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 256}, true); + testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 1024}, false); + testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 2048}, false); + testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 4096}, false); } RUNNER_TEST_MULTIPLE(TED_0300_encrypt_decrypt, SyncEnv, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ + testAllAlgorithms([](const Algo& algo){ // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // encrypt - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); assert_crypto_positive(apiDecrypt, ret.params.get(), @@ -1215,19 +1164,18 @@ RUNNER_TEST_MULTIPLE(TED_0300_encrypt_decrypt, SyncEnv, AsyncEnv) &decrypted); RawBufferPtr tmp = create_raw_buffer(decrypted); - assert_buffers_equal(*plain.get(), *decrypted); + assert_buffers_equal(*PLAIN_DATA.get(), *decrypted); }); } RUNNER_TEST_MULTIPLE(TED_0310_encrypt_decrypt_password, SyncEnv, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ + testAllAlgorithms([](const Algo& algo){ // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); ckmc_raw_buffer_s* decrypted = nullptr; // encrypt - auto ret = encrypt(algo, plain, PASSWORD); + auto ret = encrypt(algo, PLAIN_DATA, PASSWORD); // wrong password assert_crypto_result(EncryptionError::AUTH_FAILED, @@ -1247,81 +1195,69 @@ RUNNER_TEST_MULTIPLE(TED_0310_encrypt_decrypt_password, SyncEnv, AsyncEnv) &decrypted); RawBufferPtr tmp = create_raw_buffer(decrypted); // guarantees deletion - assert_buffers_equal(*plain.get(), *decrypted); + assert_buffers_equal(*PLAIN_DATA.get(), *decrypted); }); } // long test split into smaller ones -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cbc_128, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_128, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_CBC_128); + testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 128}); } -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cbc_192, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_192, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_CBC_192); + testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 192}); } -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cbc_256, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_256, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_CBC_256); + testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 256}); } -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_gcm_128, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_128, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_GCM_128); + testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 128}); } -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_gcm_192, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_192, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_GCM_192); + testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 192}); } -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_gcm_256, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_256, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_GCM_256); + testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 256}); } -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_ctr_128, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_128, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_CTR_128); + testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 128}); } -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_ctr_192, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_192, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_CTR_192); + testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 192}); } -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_ctr_256, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_256, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_CTR_256); + testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 256}); } -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cfb_128, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_128, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_CFB_128); + testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 128}); } -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cfb_192, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_192, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_CFB_192); + testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 192}); } -RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cfb_256, SyncEnv, AsyncEnv) +RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_256, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testEncryptDecryptBigData(AES_CFB_256); + testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 256}); } ///////////////////////////////////////// @@ -1330,183 +1266,179 @@ RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cfb_256, SyncEnv, Asy RUNNER_TEST_MULTIPLE(TED_1005_no_iv_enc, SyncEnv, AsyncEnv) { - testNoIvEnc(AES_CTR_128); - testNoIvEnc(AES_CTR_192); - testNoIvEnc(AES_CTR_256); - testNoIvEnc(AES_CBC_128); - testNoIvEnc(AES_CBC_192); - testNoIvEnc(AES_CBC_256); - testNoIvEnc(AES_CFB_128); - testNoIvEnc(AES_CFB_192); - testNoIvEnc(AES_CFB_256); - testNoIvEnc(AES_GCM_128); - testNoIvEnc(AES_GCM_192); - testNoIvEnc(AES_GCM_256); + testNoIvEnc({CKMC_ALGO_AES_CTR, 128}); + testNoIvEnc({CKMC_ALGO_AES_CTR, 192}); + testNoIvEnc({CKMC_ALGO_AES_CTR, 256}); + testNoIvEnc({CKMC_ALGO_AES_CBC, 128}); + testNoIvEnc({CKMC_ALGO_AES_CBC, 192}); + testNoIvEnc({CKMC_ALGO_AES_CBC, 256}); + testNoIvEnc({CKMC_ALGO_AES_CFB, 128}); + testNoIvEnc({CKMC_ALGO_AES_CFB, 192}); + testNoIvEnc({CKMC_ALGO_AES_CFB, 256}); + testNoIvEnc({CKMC_ALGO_AES_GCM, 128}); + testNoIvEnc({CKMC_ALGO_AES_GCM, 192}); + testNoIvEnc({CKMC_ALGO_AES_GCM, 256}); } RUNNER_TEST_MULTIPLE(TED_1010_invalid_iv_enc, SyncEnv, AsyncEnv) { - testInvalidIvEnc(AES_CTR_128); - testInvalidIvEnc(AES_CTR_192); - testInvalidIvEnc(AES_CTR_256); - testInvalidIvEnc(AES_CBC_128); - testInvalidIvEnc(AES_CBC_192); - testInvalidIvEnc(AES_CBC_256); - testInvalidIvEnc(AES_CFB_128); - testInvalidIvEnc(AES_CFB_192); - testInvalidIvEnc(AES_CFB_256); + testInvalidIvEnc({CKMC_ALGO_AES_CTR, 128}); + testInvalidIvEnc({CKMC_ALGO_AES_CTR, 192}); + testInvalidIvEnc({CKMC_ALGO_AES_CTR, 256}); + testInvalidIvEnc({CKMC_ALGO_AES_CBC, 128}); + testInvalidIvEnc({CKMC_ALGO_AES_CBC, 192}); + testInvalidIvEnc({CKMC_ALGO_AES_CBC, 256}); + testInvalidIvEnc({CKMC_ALGO_AES_CFB, 128}); + testInvalidIvEnc({CKMC_ALGO_AES_CFB, 192}); + testInvalidIvEnc({CKMC_ALGO_AES_CFB, 256}); } RUNNER_TEST_MULTIPLE(TED_1015_no_iv_dec, SyncEnv, AsyncEnv) { - testNoIvDec(AES_CTR_128); - testNoIvDec(AES_CTR_192); - testNoIvDec(AES_CTR_256); - testNoIvDec(AES_CBC_128); - testNoIvDec(AES_CBC_192); - testNoIvDec(AES_CBC_256); - testNoIvDec(AES_CFB_128); - testNoIvDec(AES_CFB_192); - testNoIvDec(AES_CFB_256); - testNoIvDec(AES_GCM_128); - testNoIvDec(AES_GCM_192); - testNoIvDec(AES_GCM_256); + testNoIvDec({CKMC_ALGO_AES_CTR, 128}); + testNoIvDec({CKMC_ALGO_AES_CTR, 192}); + testNoIvDec({CKMC_ALGO_AES_CTR, 256}); + testNoIvDec({CKMC_ALGO_AES_CBC, 128}); + testNoIvDec({CKMC_ALGO_AES_CBC, 192}); + testNoIvDec({CKMC_ALGO_AES_CBC, 256}); + testNoIvDec({CKMC_ALGO_AES_CFB, 128}); + testNoIvDec({CKMC_ALGO_AES_CFB, 192}); + testNoIvDec({CKMC_ALGO_AES_CFB, 256}); + testNoIvDec({CKMC_ALGO_AES_GCM, 128}); + testNoIvDec({CKMC_ALGO_AES_GCM, 192}); + testNoIvDec({CKMC_ALGO_AES_GCM, 256}); } RUNNER_TEST_MULTIPLE(TED_1020_invalid_iv_dec, SyncEnv, AsyncEnv) { - testInvalidIvDec(AES_CTR_128); - testInvalidIvDec(AES_CTR_192); - testInvalidIvDec(AES_CTR_256); - testInvalidIvDec(AES_CBC_128); - testInvalidIvDec(AES_CBC_192); - testInvalidIvDec(AES_CBC_256); - testInvalidIvDec(AES_CFB_128); - testInvalidIvDec(AES_CFB_192); - testInvalidIvDec(AES_CFB_256); + testInvalidIvDec({CKMC_ALGO_AES_CTR, 128}); + testInvalidIvDec({CKMC_ALGO_AES_CTR, 192}); + testInvalidIvDec({CKMC_ALGO_AES_CTR, 256}); + testInvalidIvDec({CKMC_ALGO_AES_CBC, 128}); + testInvalidIvDec({CKMC_ALGO_AES_CBC, 192}); + testInvalidIvDec({CKMC_ALGO_AES_CBC, 256}); + testInvalidIvDec({CKMC_ALGO_AES_CFB, 128}); + testInvalidIvDec({CKMC_ALGO_AES_CFB, 192}); + testInvalidIvDec({CKMC_ALGO_AES_CFB, 256}); } RUNNER_TEST_MULTIPLE(TED_1050_data_integrity, SyncEnv, AsyncEnv) { - testIntegrity(AES_CTR_128); - testIntegrity(AES_CTR_192); - testIntegrity(AES_CTR_256); - testIntegrity(AES_CBC_128); - testIntegrity(AES_CBC_192); - testIntegrity(AES_CBC_256); - testIntegrity(AES_CFB_128); - testIntegrity(AES_CFB_192); - testIntegrity(AES_CFB_256); + testIntegrity({CKMC_ALGO_AES_CTR, 128}); + testIntegrity({CKMC_ALGO_AES_CTR, 192}); + testIntegrity({CKMC_ALGO_AES_CTR, 256}); + testIntegrity({CKMC_ALGO_AES_CBC, 128}); + testIntegrity({CKMC_ALGO_AES_CBC, 192}); + testIntegrity({CKMC_ALGO_AES_CBC, 256}); + testIntegrity({CKMC_ALGO_AES_CFB, 128}); + testIntegrity({CKMC_ALGO_AES_CFB, 192}); + testIntegrity({CKMC_ALGO_AES_CFB, 256}); } RUNNER_TEST_MULTIPLE(TED_1100_ctr_encryption_invalid_length, SyncEnv, AsyncEnv) { - testCtrEncryptionInvalidLength(AES_CTR_128); - testCtrEncryptionInvalidLength(AES_CTR_192); - testCtrEncryptionInvalidLength(AES_CTR_256); + testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 128}); + testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 192}); + testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 256}); } RUNNER_TEST_MULTIPLE(TED_1105_ctr_encryption_valid_length, SyncEnv, AsyncEnv) { RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length"); - testCtrEncryptionValidLength(AES_CTR_128); - testCtrEncryptionValidLength(AES_CTR_192); - testCtrEncryptionValidLength(AES_CTR_256); + testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 128}); + testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 192}); + testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 256}); } RUNNER_TEST_MULTIPLE(TED_1110_ctr_decryption_invalid_length, SyncEnv, AsyncEnv) { - testCtrDecryptionInvalidLength(AES_CTR_128); - testCtrDecryptionInvalidLength(AES_CTR_192); - testCtrDecryptionInvalidLength(AES_CTR_256); + testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 128}); + testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 192}); + testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 256}); } RUNNER_TEST_MULTIPLE(TED_1115_ctr_decryption_valid_length, SyncEnv, AsyncEnv) { RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length"); - testCtrDecryptionValidLength(AES_CTR_128); - testCtrDecryptionValidLength(AES_CTR_192); - testCtrDecryptionValidLength(AES_CTR_256); + testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 128}); + testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 192}); + testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 256}); } RUNNER_TEST_MULTIPLE(TED_1200_gcm_encryption_tag_len, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testGcmEncryptionTagLen(AES_GCM_128); - testGcmEncryptionTagLen(AES_GCM_192); - testGcmEncryptionTagLen(AES_GCM_256); + testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 128}); + testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 192}); + testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 256}); } RUNNER_TEST_MULTIPLE(TED_1210_gcm_decryption_tag_len, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testGcmDecryptionTagLen(AES_GCM_128); - testGcmDecryptionTagLen(AES_GCM_192); - testGcmDecryptionTagLen(AES_GCM_256); + testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 128}); + testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 192}); + testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 256}); } RUNNER_TEST_MULTIPLE(TED_1230_gcm_wrong_tag, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - testGcmWrongTag(AES_GCM_128); - testGcmWrongTag(AES_GCM_192); - testGcmWrongTag(AES_GCM_256); + testGcmWrongTag({CKMC_ALGO_AES_GCM, 128}); + testGcmWrongTag({CKMC_ALGO_AES_GCM, 192}); + testGcmWrongTag({CKMC_ALGO_AES_GCM, 256}); } RUNNER_TEST_MULTIPLE(TED_1240_gcm_different_iv_sizes, SyncEnv, AsyncEnv) { - testGcmDifferentIvSizes(AES_GCM_128); - testGcmDifferentIvSizes(AES_GCM_192); - testGcmDifferentIvSizes(AES_GCM_256); + testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 128}); + testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 192}); + testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 256}); } RUNNER_TEST_MULTIPLE(TED_1250_gcm_aad, SyncEnv, AsyncEnv) { - testBackend b(PolicyBackend::FORCE_SOFTWARE); - encryptionWithCustomData(AES_GCM_128, CKMC_PARAM_ED_AAD); - encryptionWithCustomData(AES_GCM_192, CKMC_PARAM_ED_AAD); - encryptionWithCustomData(AES_GCM_256, CKMC_PARAM_ED_AAD); + encryptionWithCustomData({CKMC_ALGO_AES_GCM, 128}, CKMC_PARAM_ED_AAD); + encryptionWithCustomData({CKMC_ALGO_AES_GCM, 192}, CKMC_PARAM_ED_AAD); + encryptionWithCustomData({CKMC_ALGO_AES_GCM, 256}, CKMC_PARAM_ED_AAD); } RUNNER_TEST_MULTIPLE(TED_1300_rsa_label, SyncEnv, AsyncEnv) { RUNNER_IGNORED_MSG("RSA-OAEP labels are not supported in openssl"); - encryptionWithCustomData(RSA_OAEP_1024, CKMC_PARAM_ED_LABEL); - encryptionWithCustomData(RSA_OAEP_2048, CKMC_PARAM_ED_LABEL); - encryptionWithCustomData(RSA_OAEP_4096, CKMC_PARAM_ED_LABEL); + encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 1024}, CKMC_PARAM_ED_LABEL); + encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 2048}, CKMC_PARAM_ED_LABEL); + encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 4096}, CKMC_PARAM_ED_LABEL); } RUNNER_TEST_MULTIPLE(TED_1330_rsa_longest_data, SyncEnv, AsyncEnv) { - testRsaLongestData(RSA_OAEP_1024, 86); - testRsaLongestData(RSA_OAEP_2048, 214); - testRsaLongestData(RSA_OAEP_4096, 470); + testRsaLongestData({CKMC_ALGO_RSA_OAEP, 1024}, 86); + testRsaLongestData({CKMC_ALGO_RSA_OAEP, 2048}, 214); + testRsaLongestData({CKMC_ALGO_RSA_OAEP, 4096}, 470); } RUNNER_TEST_MULTIPLE(TED_1350_rsa_data_too_long, SyncEnv, AsyncEnv) { - testRsaDataTooLong(RSA_OAEP_1024, 87); - testRsaDataTooLong(RSA_OAEP_2048, 215); - testRsaDataTooLong(RSA_OAEP_4096, 471); + testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 1024}, 87); + testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 2048}, 215); + testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 4096}, 471); } ///////////////////////////////////////// // Asynchronous only tests ///////////////////////////////////////// -RUNNER_TEST(TED_2000_enc_no_observer_async, EncEnv) +RUNNER_TEST(TED_2000_enc_no_observer_async, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ + testAllAlgorithms([](const Algo& algo){ // prepare buffers RawBuffer plain = createRandomBuffer(BUF_LEN); // keys - KeyAliasPair aliases = algo->keyGen(nullptr); + KeyAliasPair aliases = getKey(algo, PRIMARY); // params ckmc_param_list_h handle = NULL; - assert_positive(ckmc_generate_new_params, algo->m_type, &handle); + assert_positive(ckmc_generate_new_params, algo.type, &handle); ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free); - setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN)); + setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV); // encrypt test_no_observer(&ManagerAsync::encrypt, @@ -1519,12 +1451,9 @@ RUNNER_TEST(TED_2000_enc_no_observer_async, EncEnv) RUNNER_TEST(TED_2010_dec_no_observer_async, AsyncEnv) { - testAllAlgorithms([](const AlgoBasePtr& algo){ - // prepare buffers - RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN)); - + testAllAlgorithms([](const Algo& algo){ // encrypt - auto ret = encrypt(algo, plain); + auto ret = encrypt(algo, PLAIN_DATA); RawBuffer encrypted(ret.encrypted->data, ret.encrypted->data + ret.encrypted->size); // decrypt diff --git a/src/ckm/unprivileged/main.cpp b/src/ckm/unprivileged/main.cpp index 0d05a9c..b5e2b93 100644 --- a/src/ckm/unprivileged/main.cpp +++ b/src/ckm/unprivileged/main.cpp @@ -280,6 +280,42 @@ RUNNER_TEST(T1014_save_with_label) "Key value has been changed by service"); } +RUNNER_TEST(T1020_save_big_data) +{ +#ifdef TZ_BACKEND + const size_t BIG_SIZE = 100000; + CKM::PolicyBackend backend = CKM::PolicyBackend::FORCE_HARDWARE; +#else + const size_t BIG_SIZE = 5000000; + CKM::PolicyBackend backend = CKM::PolicyBackend::FORCE_SOFTWARE; +#endif + + int temp; + std::vector big_data(BIG_SIZE); + std::ifstream is("/dev/urandom", std::ifstream::binary); + if(is) + is.read(big_data.data(), BIG_SIZE); + + RUNNER_ASSERT_MSG(is, + "Only " << is.gcount() << "/" << BIG_SIZE << " bytes read from /dev/urandom"); + + CKM::RawBuffer buffer(big_data.begin(), big_data.end()); + CKM::Policy policy(CKM::Password(), true, backend); + CKM::RawBuffer returned; + + auto manager = CKM::Manager::create(); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = manager->saveData("big_data", buffer, policy)), + "Error=" << CKM::APICodeToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_SUCCESS == (temp = manager->getData("big_data", CKM::Password(), returned)), + "Error=" << CKM::APICodeToString(temp)); + + RUNNER_ASSERT_MSG(buffer == returned, "Returned data doesn't match the original"); +} + RUNNER_TEST(T1015_deinit) { remove_user_data(USER_APP); @@ -2289,68 +2325,13 @@ RUNNER_TEST(T14184_ECDSA_create_signatue_nohash) std::string message = "message test"; - CKM::Alias aliasPub = "ecpub_nohash1"; CKM::Alias aliasPrv = "ecprv_nohash1"; CKM::HashAlgorithm hash = CKM::HashAlgorithm::NONE; CKM::RSAPaddingAlgorithm padd = CKM::RSAPaddingAlgorithm::PKCS1; CKM::RawBuffer signature; RUNNER_ASSERT_MSG( - CKM_API_SUCCESS == (temp = manager->createSignature( - aliasPrv, - CKM::Password(), - CKM::RawBuffer(message.begin(), message.end()), - hash, - padd, - signature)), - "Error=" << CKM::APICodeToString(temp)); - - RUNNER_ASSERT_MSG( - CKM_API_SUCCESS == (temp = manager->verifySignature( - aliasPub, - CKM::Password(), - CKM::RawBuffer(message.begin(), message.end()), - signature, - hash, - padd)), - "Error=" << CKM::APICodeToString(temp)); - - RUNNER_ASSERT_MSG(signature.size() > 6, "Signature is too small"); - - memcpy((void*)signature.data(), "BROKEN", 6); - - RUNNER_ASSERT_MSG( - CKM_API_ERROR_VERIFICATION_FAILED == (temp = manager->verifySignature( - aliasPub, - CKM::Password(), - CKM::RawBuffer(message.begin(), message.end()), - signature, - hash, - padd)), - "Error=" << CKM::APICodeToString(temp)); -} - -RUNNER_TEST(T14185_ECDSA_create_signatue_nohash_bigmsg) -{ - int temp; - auto manager = CKM::Manager::create(); - - int msgSize = 1024*1024; - char big_msg[msgSize]; - for(int i =0; icreateSignature( + CKM_API_ERROR_INPUT_PARAM == (temp = manager->createSignature( aliasPrv, CKM::Password(), CKM::RawBuffer(message.begin(), message.end()), @@ -2360,7 +2341,6 @@ RUNNER_TEST(T14185_ECDSA_create_signatue_nohash_bigmsg) "Error=" << CKM::APICodeToString(temp)); } - RUNNER_TEST(T14189_deinit) { remove_user_data(USER_APP); @@ -2633,21 +2613,23 @@ RUNNER_TEST(T1808_create_signature_on_raw_key_and_verify_on_PKCS) int temp; auto manager = CKM::Manager::create(); - std::string prv = "-----BEGIN RSA PRIVATE KEY-----\n" - "MIICXQIBAAKBgQD1W9neUbXL1rnq9SvyzprjhWBKXyYKQirG3V2zyUnUaE24Sq2I\n" - "v7ISrwMN/G6WcjrGmeZDEWwrL4zXh002N8BD1waJPRonxwtVkhFy3emGatSmx7eI\n" - "ely5H+PBNImRvBh2u4GWga6OEXcUNdfaBUcxn+P6548/zpDhyNLzQKk5FwIDAQAB\n" - "AoGAR+4WkBuqTUj1FlGsAbHaLKt0UDlWwJknS0eoacWwFEpDxqx19WolfV67aYVA\n" - "snBolMKXg7/+0yZMhv8Ofr+XaHkPQplVVn9BwT0rmtEovJXwx+poRP9Bm3emglj/\n" - "iYd8EkaXDlIXCtewtQW9JEIctWppntHj3TvA/h7FCXPN6SkCQQD/N7sn5S1gBkVh\n" - "dyXQKoyKsZDb7hMIS1q6cKwYCMf2UrsD1/lnr7xXkvORdL213MfueO8g0WkuKfRY\n" - "bDD6WGX1AkEA9hxiOlsgvermqLJkOlJffbSaM8n/6wtnM0HV+Vd9NfSBOmxFDXPO\n" - "vrvdgiDPENhbqTJSQVDsfzHilTpK7lEvWwJBAJLxHoOg0tg3pBiyxgWtic+M3q+R\n" - "ykl7QViY6KzJ2X98MIrM/Z7yMollZXE4+sVLwZ0O6fdGOr3GkBWc7TImVUUCQQC7\n" - "pf6bQfof9Ce0fnf/I+ldHkPost7nJsWkBlGQkM2OQwP5OK4ZyK/dK76DxmI7FMwm\n" - "oJCo7nuzq6R4ZX7WYJ47AkBavxBDo/e9/0Vk5yrloGKW3f8RQXBJLcCkVUGyyJ3D\n" - "3gu/nafW4hzjSJniTjC1fOj0eb0OSg1JAvqHTYAnUsI7\n" - "-----END RSA PRIVATE KEY-----"; + std::string prv = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICWwIBAAKBgQDDgmPurTQa3wbnlM+9nCEQvhDviYRvSC9TL5lAMBCmBSl93v0U\n" + "BXWsqO+fmAINm5QJa89hF5N7Q4xtvfSJUPIeyzowTOEGM4U3FnJtlsNQsoNbFlNy\n" + "QLoZZmmY4ljG6/YqX+JGBgS9/J8uvaDWkvs+ktkORygfNz4Gi5DERT7eeQIDAQAB\n" + "AoGAARIqx/js6yTDnesjxC8hwzy3TQic0Bs+Hx+IoGBjBvXKR2U8T6rD/UEjpuUn\n" + "RbnPcsnDZg3CAg/ZqhQ7TbFC0kPo+S6+wKsZGDWUUvnpMkdcZUqXel8GFhdnmeIh\n" + "22vYthP4TCbolxwXlwvuhu0PLZWhRO/Z+g37T3QENexqGv0CQQDmqJ9PDoUj5eUR\n" + "wWEqEPraoU6ARBUUX5EhmTT9g9/BXnhwumIOksDHcBqNUwNOlKCUlWfBOelO93Ys\n" + "PRW3QyejAkEA2P0tW/8iU4j+0a6DV+TUYFDTjD29y8KPw0Aj59591xD5eIPK3IgU\n" + "91vnmtvU/QR26PnMOx4OAPk9a7BtN62zMwJAIFV0950edtjMUr/cAgydTbadDYf9\n" + "uHxpGN+kOQGahT3b/llyU36o/YwufK8tYH+fPxTulXyrwwEXlL3/ZFBKpwJAeLGS\n" + "Wlp2WGqZ+j2MdwYkDxLGKHprKHwnBN6XWjCKZGbfrGX6H2Jd7xyinaNrO/UQwxO2\n" + "wqc7+NSpkk3G4jJuuwJAODYlk2Q+djE4jkjDc4xiqsQGBQlI2dlgzjRjIF4HWiLx\n" + "bIrI0uCCbGItx++hlvmDx7G8anBmIFfBWIaKdX0aWw==\n" + "-----END RSA PRIVATE KEY-----\n"; + std::string message = "message test"; auto keyPrv = CKM::Key::create(CKM::RawBuffer(prv.begin(), prv.end()), CKM::Password()); @@ -2744,15 +2726,21 @@ RUNNER_TEST(T1810_verify_get_certificate_chain) // this certificate has been signed using PKCS chain std::string im = "-----BEGIN CERTIFICATE-----\n" - "MIIBozCCAQwCAQEwDQYJKoZIhvcNAQEFBQAwHDEaMBgGA1UEAwwRc2VydmVyQHRl\n" - "c3RtZS5jb20wHhcNMTUxMjA5MTA0NjU0WhcNMjUxMjA2MTA0NjU0WjAYMRYwFAYD\n" - "VQQDDA1lZUB0ZXN0bWUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP\n" - "+fNsZB1Vlmhnk0IwYDs7Pw9E38KQfTt/egqqRFN6IvIt0CCDBXqnPTujuvlO2OyL\n" - "XVuALnIBmTDm5Oz+oz+qiY6/XrVS/CoACNZyMo6ihG9OeocvDbU3jXEaPGL6ib/x\n" - "jlms0aA9d5L9TO2lEzEP7bFKgHCB8FWINcxSP5zl1QIDAQABMA0GCSqGSIb3DQEB\n" - "BQUAA4GBAKBpVJMkdK6/qnAz7d7Bul/BhhSLEYbNPdxRiUj3U2dt0GJgswMu2SNT\n" - "/3NXB8V8mnnXR6cWn5bmjyA7ZpQEKAatS/KEQ9wfLXyCgYDRebX71mVKAI3XcyxB\n" - "p2qsOWWaJhuHmC1GVjx3foL+RDrmRo6BiucNHMIuvrd1W36eKdhj\n" + "MIICxDCCAi0CFGHuCEUksqn0Rr3SXdhn+TlnL804MA0GCSqGSIb3DQEBCwUAMGEx\n" + "CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl\n" + "cm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMMEXNlcnZlckB0ZXN0bWUuY29t\n" + "MB4XDTE5MDYxMzEyMTkyNloXDTI5MDYxMDEyMTkyNlowXTELMAkGA1UEBhMCQVUx\n" + "EzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg\n" + "UHR5IEx0ZDEWMBQGA1UEAwwNZWVAdGVzdG1lLmNvbTCCASIwDQYJKoZIhvcNAQEB\n" + "BQADggEPADCCAQoCggEBAK3/XvE3uc2EhzwmsAfq6KEw52J8kCAB9Rma/qjkw6ZT\n" + "yUYmSQvmcK8wSDt015Y/ekYLereCeWNLNkFlQeZC7LHT6T1mGnxNIgL3oUS2c+15\n" + "FEYX9QJIN/CoJYQ/tmiQPa1OJz4prUFwqAzM1kRtHGfcAGmQHfgu77P3ljAJzfsW\n" + "2beVHM+MTNSybkGHql28Z93bp382k5FQXegkxbozsKBMk37QjKiqes29J/ET0Huy\n" + "yzOkf+XvbizIPRvMt/2guw9sgRb7YrM2M+igmHIHxfzxuqzpPr+bmcqQdyFdVkAK\n" + "Qcx930HbfjHJ5k5vcovPLQ3LvSnYVCTe7aCAAmMzKXsCAwEAATANBgkqhkiG9w0B\n" + "AQsFAAOBgQBfFMim/9zLd+EeZyeYA0vy3C9YuNJI+KsZlKAfrFDQNeIT/qg/GQM4\n" + "o7I3TIHQ62tdEx6nBJs0DKSAmhRh4yc+P1KHMzIQIgSjftqS3Z+AKbJn6vOpWNTq\n" + "cexnpexaNn69dbqJZsjr0fHsGAkh5n96icAB4VZyFncEknZKbTdd0g==\n" "-----END CERTIFICATE-----\n"; auto cert = CKM::Certificate::create(CKM::RawBuffer(im.begin(), im.end()), CKM::DataFormat::FORM_PEM); diff --git a/src/ckm/unprivileged/sign-verify.cpp b/src/ckm/unprivileged/sign-verify.cpp new file mode 100644 index 0000000..c1a7b44 --- /dev/null +++ b/src/ckm/unprivileged/sign-verify.cpp @@ -0,0 +1,492 @@ +/* + * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +/* + * @file sign-verify.cpp + * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) + * @version 1.0 + */ + +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +using namespace CKM; + +namespace { + +const char* PASSWORD = "test-password"; +const uid_t UID = 5001; + +struct KeyAliasPair +{ + Alias prv; + Alias pub; +}; + +enum Algo { + RSA, + DSA, + ECDSA +}; + +// algo names +const std::unordered_map ALGO2STR = { + { RSA, "RSA" }, + { DSA, "DSA" }, + { ECDSA, "ECDSA" }, +}; + +// keys +std::unordered_map>> KEYS; + +enum KeyIdx { + PRIMARY = 0, + PASSWORD_PROTECTED = 1, + + KEY_IDX_MAX +}; + +// hash algo names +const std::unordered_map HASH2STR = { +#ifndef TZ_BACKEND + // no hash is not supported in TZ + { CKMC_HASH_NONE, "NONE" }, +#endif + { CKMC_HASH_SHA1, "SHA1" }, + { CKMC_HASH_SHA256, "SHA256" }, + { CKMC_HASH_SHA384, "SHA384" }, + { CKMC_HASH_SHA512, "SHA512" }, +}; + +// padding names +const std::unordered_map PAD2STR = { +#ifndef TZ_BACKEND + // no padding is not supported in TZ + { CKMC_NONE_PADDING, "NONE" }, +#endif + { CKMC_PKCS1_PADDING, "PKCS1" }, +#ifndef TZ_BACKEND + // X9.31 is not supported in TZ + { CKMC_X931_PADDING, "X931" }, +#endif +}; + +const int EC_PRIME192V1 = static_cast(ElipticCurve::prime192v1); +const int EC_PRIME256V1 = static_cast(ElipticCurve::prime256v1); +const int EC_SECP384R1 = static_cast(ElipticCurve::secp384r1); + +// test messages +RawBufferPtr MESSAGE_SHORT; +std::unordered_map MESSAGES; +RawBufferPtr MESSAGE_LONG; + +class SignVerifyGroupFixture: public DPL::Test::TestGroup +{ +public: + void Init() override + { + remove_user_data(UID); + int ret = ckmc_unlock_user_key(UID, "db-pass"); + if (ret != CKMC_ERROR_NONE) + RUNNER_ERROR_MSG("DB unlock failed: " << CKMCErrorToString(ret)); + + // Policy backend to use in subsequent operations (global for each test case) +#ifdef TZ_BACKEND + m_backend = PolicyBackend::FORCE_HARDWARE; +#else + m_backend = PolicyBackend::FORCE_SOFTWARE; +#endif + + // generate keys + m_manager = Manager::create(); + generateKeys(RSA, 1024); + generateKeys(RSA, 2048); + generateKeys(RSA, 4096); + generateKeys(DSA, 1024); +#ifndef TZ_BACKEND + /* + * For DSA with SHA1 only 1024-bit keys are supported and TZ does not currently support + * anything else than SHA1 for DSA. + */ + generateKeys(DSA, 2048); + generateKeys(DSA, 3072); + generateKeys(DSA, 4096); +#endif +#ifndef TZ_BACKEND + // ECDSA is not yet supported on TZ + generateKeys(ECDSA, EC_PRIME192V1); + generateKeys(ECDSA, EC_PRIME256V1); + generateKeys(ECDSA, EC_SECP384R1); +#endif + + MESSAGE_SHORT = create_raw_buffer(createRandomBufferCAPI(512/8)); + + // Set first byte to 0 to avoid "data too large for modulus" error in unpadded RSA + MESSAGES[1024] = create_raw_buffer(createRandomBufferCAPI(1024/8)); + MESSAGES[1024]->data[0] = 0; + MESSAGES[2048] = create_raw_buffer(createRandomBufferCAPI(2048/8)); + MESSAGES[2048]->data[0] = 0; + MESSAGES[3072] = create_raw_buffer(createRandomBufferCAPI(3072/8)); + MESSAGES[3072]->data[0] = 0; + MESSAGES[4096]= create_raw_buffer(createRandomBufferCAPI(4096/8)); + MESSAGES[4096]->data[0] = 0; + + MESSAGE_LONG = create_raw_buffer(createRandomBufferCAPI(1000)); + } + + void generateKeys(Algo type, size_t bitLen) + { + for (int i = 0; i < KEY_IDX_MAX; i++) + { + Policy prvPolicy(Password(), false, m_backend); + Policy pubPolicy(Password(), true, m_backend); + if (i == PASSWORD_PROTECTED) { + prvPolicy.password.assign(PASSWORD); + pubPolicy.password.assign(PASSWORD); + } + + KeyAliasPair alias; + alias.prv = ALGO2STR.at(type) + std::string("_") + std::to_string(bitLen) + + std::string("_") + std::to_string(i); + alias.pub = std::string("pub") + alias.prv; + int ret; + switch (type) + { + case RSA: + ret = m_manager->createKeyPairRSA(bitLen, + alias.prv, alias.pub, + prvPolicy, pubPolicy); + break; + case DSA: + ret = m_manager->createKeyPairDSA(bitLen, + alias.prv, alias.pub, + prvPolicy, pubPolicy); + break; + case ECDSA: + ret = m_manager->createKeyPairECDSA(static_cast(bitLen), + alias.prv, alias.pub, + prvPolicy, pubPolicy); + break; + default: + ret = CKM_API_ERROR_UNKNOWN; + } + if (ret != CKM_API_SUCCESS) + RUNNER_ERROR_MSG("key creation failed. Type: " << ALGO2STR.at(type) << + " bits: " << bitLen << " error: " << APICodeToString(ret)); + + KEYS[type][bitLen].push_back(alias); + } + } + + void Finish() override + { + for (const auto &type : KEYS) { + for (const auto &entry : type.second) { + for (const auto &keyPair : entry.second) { + m_manager->removeAlias(keyPair.prv); + m_manager->removeAlias(keyPair.pub); + } + } + } + + MESSAGE_SHORT.reset(); + + int ret = ckmc_lock_user_key(UID); + if (ret != CKMC_ERROR_NONE) + RUNNER_ERROR_MSG("DB lock failed: " << CKMCErrorToString(ret)); + remove_user_data(UID); + } +private: + ManagerShPtr m_manager; + PolicyBackend m_backend; +}; + +std::string params2str(const Alias& alias, + const ckmc_hash_algo_e hash, + const ckmc_rsa_padding_algo_e padding, + const RawBufferPtr& message) +{ + std::stringstream ss; + ss << " Alias: " << alias << ", hash algo: " << HASH2STR.at(hash) << + ", padding: " << PAD2STR.at(padding) << ", message len: " << message->size << "B."; + return ss.str(); +} + +void signExpect(int expected, + const Alias& alias, + const char* pw, + const RawBufferPtr& message, + const ckmc_hash_algo_e hash, + const ckmc_rsa_padding_algo_e padding, + RawBufferPtr& signature) +{ + ckmc_raw_buffer_s* cSignature = nullptr; + + int ret = ckmc_create_signature(alias.c_str(), pw, *message, hash, padding, &cSignature); + RUNNER_ASSERT_MSG(ret == expected, "Unexpected result during signature creation." << + params2str(alias, hash, padding, message) << + " Expected: " << CKMCErrorToString(expected) << + " got: " << CKMCErrorToString(ret)); + if (ret == CKMC_ERROR_NONE) { + RUNNER_ASSERT_MSG(cSignature != nullptr && cSignature->size > 0, + "Empty signature returned." << + params2str(alias, hash, padding, message)); + signature = create_raw_buffer(cSignature); + } else { + RUNNER_ASSERT_MSG(cSignature == nullptr, + "Non-empty signature returned." << + params2str(alias, hash, padding, message)); + } +} + +void signInvalid(const Alias& alias, + const char* pw, + const RawBufferPtr& message, + const ckmc_hash_algo_e hash, + const ckmc_rsa_padding_algo_e padding) +{ + RawBufferPtr signature; + signExpect(CKMC_ERROR_INVALID_PARAMETER, alias, pw, message, hash, padding, signature); +} + +void verifyExpect(int expected, + const Alias& alias, + const char* pw, + const RawBufferPtr& message, + const ckmc_hash_algo_e hash, + const ckmc_rsa_padding_algo_e padding, + const RawBufferPtr& signature) +{ + int ret = ckmc_verify_signature(alias.c_str(), pw, *message, *signature, hash, padding); + RUNNER_ASSERT_MSG(ret == expected, "Unexpected result during signature verification." << + params2str(alias, hash, padding, message) << + " Expected: " << CKMCErrorToString(expected) << + " got: " << CKMCErrorToString(ret)); +} + +void signVerify(const KeyAliasPair& aliasPair, + const char* pw, + const RawBufferPtr& message, + const ckmc_hash_algo_e hash, + const ckmc_rsa_padding_algo_e padding) +{ + RawBufferPtr signature; + signExpect(CKMC_ERROR_NONE, aliasPair.prv, pw, message, hash, padding, signature); + + RUNNER_ASSERT_MSG(signature->size > 0, "Empty signature returned"); + + verifyExpect(CKMC_ERROR_NONE, aliasPair.pub, pw, message, hash, padding, signature); + + // modify 1 bit of the signature + signature->data[0] ^= 0x01; + + // expect verification failure + verifyExpect(CKMC_ERROR_VERIFICATION_FAILED, + aliasPair.pub, + pw, + message, + hash, + padding, + signature); +} +// test given key pair against all hash and padding algos +void testSignVerify(Algo algo, size_t keyBits, int idx) +{ +#ifdef TZ_BACKEND + if (algo == DSA && keyBits > 1024) + RUNNER_IGNORED_MSG("For DSA with SHA1 only 1024-bit keys are supported and TZ does not"\ + " currently support anything else than SHA1 for DSA."); + if (algo == ECDSA) + RUNNER_IGNORED_MSG("ECDSA is not yet supported in TZ"); +#endif + + std::string pw; + if (idx == PASSWORD_PROTECTED) + pw = PASSWORD; + + const KeyAliasPair& keys = KEYS[algo][keyBits][idx]; + + // iterate over hash algorithms + for (const auto& hash : HASH2STR) { +#ifdef TZ_BACKEND + // in case of DSA only SHA1 is supported on TZ + if (algo == DSA && hash.first != CKMC_HASH_SHA1) + continue; +#endif + + // iterate over padding algorithms + for (const auto& pad : PAD2STR) { + auto expectSuccess = [&](const RawBufferPtr& msg) { + signVerify(keys, pw.c_str(), msg, hash.first, pad.first); + }; + auto expectInvalid = [&](const RawBufferPtr& msg) { + signInvalid(keys.prv, pw.c_str(), msg, hash.first, pad.first); + }; + + // padding is for RSA only, other algos should ignore it + if (algo == RSA && pad.first == CKMC_NONE_PADDING) { + if (hash.first == CKMC_HASH_NONE) { + // no hash + no padding + key matching message + expectSuccess(MESSAGES.at(keyBits)); + } + // no padding + short message + expectInvalid(MESSAGE_SHORT); + + // no padding + long message + expectInvalid(MESSAGE_LONG); + + } else { + if (hash.first == CKMC_HASH_NONE) { + // no hash + padding + long message + expectInvalid(MESSAGE_LONG); + + // no hash + padding + short message + if (algo == RSA) + expectSuccess(MESSAGE_SHORT); + else + expectInvalid(MESSAGE_SHORT); // no support for CKMC_HASH_NONE + } else { + // hash + padding + short message + expectSuccess(MESSAGE_SHORT); + + // hash + padding + long message + expectSuccess(MESSAGE_LONG); + } + } + } + } +} + +} // namespace anonymous + +RUNNER_TEST_GROUP_INIT_ENV(CKM_SIGN_VERIFY, SignVerifyGroupFixture); + + +// RSA +RUNNER_TEST(TSV_0110_sign_verify_rsa_1024) +{ + testSignVerify(RSA, 1024, PRIMARY); +} + +RUNNER_TEST(TSV_0120_sign_verify_rsa_1024_pw) +{ + testSignVerify(RSA, 1024, PASSWORD_PROTECTED); +} + +RUNNER_TEST(TSV_0130_sign_verify_rsa_2048) +{ + testSignVerify(RSA, 2048, PRIMARY); +} + +RUNNER_TEST(TSV_0140_sign_verify_rsa_2048_pw) +{ + testSignVerify(RSA, 2048, PASSWORD_PROTECTED); +} + +RUNNER_TEST(TSV_0150_sign_verify_rsa_4096) +{ + testSignVerify(RSA, 4096, PRIMARY); +} + +RUNNER_TEST(TSV_0160_sign_verify_rsa_4096_pw) +{ + testSignVerify(RSA, 4096, PASSWORD_PROTECTED); +} + + +// DSA +RUNNER_TEST(TSV_0210_sign_verify_dsa_1024) +{ + testSignVerify(DSA, 1024, PRIMARY); +} + +RUNNER_TEST(TSV_0220_sign_verify_dsa_1024_pw) +{ + testSignVerify(DSA, 1024, PASSWORD_PROTECTED); +} + +RUNNER_TEST(TSV_0230_sign_verify_dsa_2048) +{ + testSignVerify(DSA, 2048, PRIMARY); +} + +RUNNER_TEST(TSV_0240_sign_verify_dsa_2048_pw) +{ + testSignVerify(DSA, 2048, PASSWORD_PROTECTED); +} + +RUNNER_TEST(TSV_0250_sign_verify_dsa_3072) +{ + testSignVerify(DSA, 3072, PRIMARY); +} + +RUNNER_TEST(TSV_0260_sign_verify_dsa_3072_pw) +{ + testSignVerify(DSA, 3072, PASSWORD_PROTECTED); +} + +RUNNER_TEST(TSV_0270_sign_verify_dsa_4096) +{ + testSignVerify(DSA, 4096, PRIMARY); +} + +RUNNER_TEST(TSV_0280_sign_verify_dsa_4096_pw) +{ + testSignVerify(DSA, 4096, PASSWORD_PROTECTED); +} + + +// ECDSA +RUNNER_TEST(TSV_0310_sign_verify_ecdsa_PRIME192V1) +{ + testSignVerify(ECDSA, EC_PRIME192V1, PRIMARY); +} + +RUNNER_TEST(TSV_0320_sign_verify_ecdsa_PRIME192V1_pw) +{ + testSignVerify(ECDSA, EC_PRIME192V1, PASSWORD_PROTECTED); +} + +RUNNER_TEST(TSV_0330_sign_verify_ecdsa_PRIME256V1) +{ + testSignVerify(ECDSA, EC_PRIME256V1, PRIMARY); +} + +RUNNER_TEST(TSV_0340_sign_verify_ecdsa_PRIME256V1_pw) +{ + testSignVerify(ECDSA, EC_PRIME256V1, PASSWORD_PROTECTED); +} + +RUNNER_TEST(TSV_0350_sign_verify_ecdsa_SECP384R1) +{ + testSignVerify(ECDSA, EC_SECP384R1, PRIMARY); +} + +RUNNER_TEST(TSV_0360_sign_verify_ecdsa_SECP384R1_pw) +{ + testSignVerify(ECDSA, EC_SECP384R1, PASSWORD_PROTECTED); +} + +// TODO: border cases for padding +// TODO: invalid arguments +// TODO: Big data diff --git a/src/common/scoped_process_label.cpp b/src/common/scoped_process_label.cpp index 47872bc..aa642fe 100644 --- a/src/common/scoped_process_label.cpp +++ b/src/common/scoped_process_label.cpp @@ -68,7 +68,10 @@ OnlycapSet smackGetOnlycap() break; last = onlycap.find_first_of(SEPARATORS, first + 1); - onlycapSet.insert(onlycap.substr(first, last - first)); + if (last == std::string::npos) + onlycapSet.insert(onlycap.substr(first)); + else + onlycapSet.insert(onlycap.substr(first, last - first)); } return onlycapSet; } @@ -122,7 +125,6 @@ ScopedProcessLabel::ScopedProcessLabel(std::string label, bool restore) : newOnlycap.insert(m_label); smackSetOnlycap(newOnlycap); } else { - m_originalLabel.clear(); m_originalOnlycap.clear(); } } @@ -135,7 +137,8 @@ ScopedProcessLabel::~ScopedProcessLabel() if (!m_originalLabel.empty()) { try { smackSetLabelForSelf(m_originalLabel); - smackSetOnlycap(m_originalOnlycap); + if (!m_originalOnlycap.empty()) + smackSetOnlycap(m_originalOnlycap); } catch (const DPL::Test::TestException& e) { RUNNER_ERROR_MSG("Test exception occurred: " << e.GetMessage()); } catch (const std::exception& e) {