From: Jakub Wlostowski Date: Wed, 31 Jul 2024 14:40:48 +0000 (+0200) Subject: Check PQC API protection X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F11%2F315411%2F13;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Check PQC API protection Change-Id: Id88a64ed78395b4b02b02de350169db4b1e4f7ba --- diff --git a/src/ckm-integration/group02.cpp b/src/ckm-integration/group02.cpp index 7c6251ca..2e6bcfd4 100644 --- a/src/ckm-integration/group02.cpp +++ b/src/ckm-integration/group02.cpp @@ -191,6 +191,14 @@ RUNNER_CHILD_TEST(G02T06_ExtendedPositive) { CKM::RawBuffer data; CKM::RawBuffer wrappedKey; + const CKM::KemType type = CKM::KemType::ML_KEM_768; + const CKM::Alias privateKeyAlias; + const CKM::Alias publicKeyAlias; + const CKM::Alias firstSharedSecretAlias; + const CKM::Alias secondSharedSecretAlias; + const CKM::Alias newSharedSecretAlias; + CKM::RawBuffer ciphertext; + // We pass invalid data so we expect an error but it should not be ACCESS_DENIED as we have // proper privileges RUNNER_ASSERT_MSG( @@ -202,6 +210,26 @@ RUNNER_CHILD_TEST(G02T06_ExtendedPositive) { CKM_API_ERROR_ACCESS_DENIED != (temp = manager->unwrapConcatenatedData( params, wrappingKeyAlias, wrappingKeyPassword, wrappedKey, alias, 0, CKM::Policy(), data)), "Error=" << CKM::APICodeToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED != (temp = manager->createKeyPairKEM( + type, privateKeyAlias, publicKeyAlias, CKM::Policy(), CKM::Policy())), + "Error=" << CKM::APICodeToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED != (temp = manager->encapsulateKey( + params, publicKeyAlias, password, firstSharedSecretAlias, CKM::Policy(), ciphertext)), + "Error=" << CKM::APICodeToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED != (temp = manager->decapsulateKey( + params, privateKeyAlias, password, secondSharedSecretAlias, CKM::Policy(), ciphertext)), + "Error=" << CKM::APICodeToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED != (temp = manager->deriveHybrid( + params, firstSharedSecretAlias, password, secondSharedSecretAlias, password, newSharedSecretAlias, CKM::Policy())), + "Error=" << CKM::APICodeToString(temp)); } RUNNER_CHILD_TEST(G02T07_ExtendedNegative) { @@ -220,6 +248,14 @@ RUNNER_CHILD_TEST(G02T07_ExtendedNegative) { CKM::RawBuffer data; CKM::RawBuffer wrappedKey; + const CKM::KemType type = CKM::KemType::ML_KEM_768; + const CKM::Alias privateKeyAlias; + const CKM::Alias publicKeyAlias; + const CKM::Alias firstSharedSecretAlias; + const CKM::Alias secondSharedSecretAlias; + const CKM::Alias newSharedSecretAlias; + CKM::RawBuffer ciphertext; + // We expect to receive ACCESS_DENIED before the actual logic function is called (which would // return a different error because we pass invalid parameters) RUNNER_ASSERT_MSG( @@ -232,4 +268,24 @@ RUNNER_CHILD_TEST(G02T07_ExtendedNegative) { params, wrappingKeyAlias, wrappingKeyPassword, wrappedKey, alias, 0, CKM::Policy(), data)), "Error=" << CKM::APICodeToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = manager->createKeyPairKEM( + type, privateKeyAlias, publicKeyAlias, CKM::Policy(), CKM::Policy())), + "Error=" << CKM::APICodeToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = manager->encapsulateKey( + params, publicKeyAlias, password, firstSharedSecretAlias, CKM::Policy(), ciphertext)), + "Error=" << CKM::APICodeToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = manager->decapsulateKey( + params, privateKeyAlias, password, secondSharedSecretAlias, CKM::Policy(), ciphertext)), + "Error=" << CKM::APICodeToString(temp)); + + RUNNER_ASSERT_MSG( + CKM_API_ERROR_ACCESS_DENIED == (temp = manager->deriveHybrid( + params, firstSharedSecretAlias, password, secondSharedSecretAlias, password, newSharedSecretAlias, CKM::Policy())), + "Error=" << CKM::APICodeToString(temp)); }