platform/core/test/security-tests.git
21 months agoAdd test cases for updating an app package 60/283060/4
Tomasz Swierczek [Mon, 17 Oct 2022 11:03:52 +0000 (13:03 +0200)]
Add test cases for updating an app package

security_manager_app_update() should be able
to remove apps not listed in update request
regardless of hybrid status of the package.

Change-Id: Icc25bf37969964426c356921f3ac7db661843955

3 years agoMerge branch 'tizen' into security-manager 74/250174/1
Dariusz Michaluk [Mon, 21 Dec 2020 14:02:28 +0000 (15:02 +0100)]
Merge branch 'tizen' into security-manager

Change-Id: Ifcd188e804bca1ccead8194889014a2596d3289d

3 years agoCleanup attr/xattr.h usage. 68/250168/2
Dariusz Michaluk [Mon, 21 Dec 2020 10:08:18 +0000 (11:08 +0100)]
Cleanup attr/xattr.h usage.

After attr package upgrade, attr/xattr.h has ben removed,
sys/xattr.h should be used instead.

To fix build break, unnecessary attr/xattr.h usage has ben removed
or changed to proper one.

Change-Id: I5a5acfd9f65e60975a1c28d0231d1bc035e99044

3 years agoMerge branch 'tizen' into security-manager 75/249775/1
Dariusz Michaluk [Wed, 16 Dec 2020 12:15:14 +0000 (13:15 +0100)]
Merge branch 'tizen' into security-manager

Change-Id: I7c7d3eaa8cddb40592f4258f7eb7f5488629fea4

4 years agoRefactor AccessProvider and ScopedAccessProvider 46/240346/5
Mateusz Cegielka [Wed, 5 Aug 2020 11:07:53 +0000 (13:07 +0200)]
Refactor AccessProvider and ScopedAccessProvider

AccessProvider is a helper class for setting up Smack rules, user id,
group id and process labels before or during a test. CKM tests also
contain different AccessProvider and ScopedAccessProvider classes, but
only use a single constructor of the latter to pretend to be an app.
These classes contain some duplicated code. Also, after the removal of
libsmack-tests, the responsibilities of these classes have shrunk to
pretending to be an app and nothing else.

I have cleaned up src/common/ AccessProvider, renamed it to AppContext
and made it flexible enough so that ScopedAccessProvider can be
implemented in terms of it and src/ckm/ AccessProvider can be removed. I
have then cleaned up ScopedAccessProvider and renamed it to
ScopedAppContext.

Change-Id: I325f7bd1d9c2ac276960530384682227cefec7da

4 years agoSwitch to c++17 10/244410/1
Krzysztof Jackiewicz [Fri, 18 Sep 2020 07:53:41 +0000 (09:53 +0200)]
Switch to c++17

Latest key-manager changes require c++17.

Change-Id: Ifadce309c2fa195fe4d2a432770803308f1e29d1

4 years agoRemove libsmack tests 72/244172/2
Mateusz Cegielka [Tue, 15 Sep 2020 08:44:53 +0000 (10:44 +0200)]
Remove libsmack tests

These tests are not executed on Jenkins, and currently are also broken.
More importantly, libsmack is an open-source library not specific to
Tizen, so there's not actually a lot of benefit in testing it.

I have removed libsmack-tests directory, as well as all related build
commands.

Change-Id: Ib5c78f2425d4a43567e50a41b90e25eab1597ae3

4 years agoRemove key-manager::api-storage privilege use in CKM tests 45/240345/2
Mateusz Cegielka [Mon, 27 Jul 2020 09:29:24 +0000 (11:29 +0200)]
Remove key-manager::api-storage privilege use in CKM tests

Some CKM tests request the key-manager::api-storage privilege when
switching context to the user. However. this privilege was removed five
years ago (see commits 06d3064 and d5e32f8 in key-manager) and is no
longer required to use key-manager.

I have removed all calls responsible for requesting this privilege. This
also made it possible to only use the simplest ScopedAccessRequest
constructor and remove all other constructors.

Change-Id: I788e44f8e59575f80c8999b6b64eaefcc905fb75

4 years agoFix only partial rollback of Smack rules 44/240344/2
Mateusz Cegielka [Fri, 24 Jul 2020 15:13:25 +0000 (17:13 +0200)]
Fix only partial rollback of Smack rules

Some tests temporarily add new Smack rules in order to test unprivileged
access to system services. After the test, they are cleared with
smack_revoke_subject. However, this only removes rules where the test
application is the subject.

I have replaced calls where this is an issue with a smack_accesses_clear
call, which removes all rules loaded with a given handle. Since affected
tests do not modify Smack rules in any other way and only use test
labels for fake apps, no rules removed by the old call and not by the
new call can exist.

Change-Id: I841d6b7ad05549d8837645e3d9176f4db7029908

4 years agoMerge branch 'tizen' into security-manager 14/236214/1
Dariusz Michaluk [Mon, 15 Jun 2020 15:00:51 +0000 (17:00 +0200)]
Merge branch 'tizen' into security-manager

Change-Id: I973bc6f714c4987e7d53d23e3efcaa2cf8768c4f

4 years agoSpring cleaning 80/232780/2
Konrad Lipinski [Wed, 29 Apr 2020 07:12:07 +0000 (09:12 +0200)]
Spring cleaning

* drop some unused code
* shrink interfaces a tiny bit
* obviate construction of a few intermediate objects

Change-Id: I66cbbfdab5270bc64fbb2e51b3de027f96ec86a9

4 years agoMerge branch 'ckm' into tizen 99/236199/1
Dariusz Michaluk [Mon, 15 Jun 2020 11:41:41 +0000 (13:41 +0200)]
Merge branch 'ckm' into tizen

Change-Id: I8e7dbe5e42290ebc991669d6e8405ff65eeb9972

4 years agoMerge branch 'security-manager' into tizen 98/236198/1
Dariusz Michaluk [Mon, 15 Jun 2020 11:25:16 +0000 (13:25 +0200)]
Merge branch 'security-manager' into tizen

Change-Id: I80391846ba53b683da6e46eb6e82b00739996c25

4 years agoImprove async getters' tests 03/233003/3
Krzysztof Jackiewicz [Mon, 11 May 2020 07:56:33 +0000 (09:56 +0200)]
Improve async getters' tests

Received item is not checked in async tests. It may as well be empty.
Compare retrieved object with saved one.

Change-Id: I0a6dbe988791accd308c7fe138531eac220b9279

4 years agoRemove ugly manual setup of pkgmgr database 27/232927/2
Tomasz Swierczek [Fri, 8 May 2020 09:35:07 +0000 (11:35 +0200)]
Remove ugly manual setup of pkgmgr database

Use new SM APIs instead so privilege-checker
doesn't have to call pkgmgr.

Change-Id: I15cdee3693ec1f16c789a9234e12703c2a6b3fcf

4 years agoSmack privilege tests with different configurations 01/231901/13
Krzysztof Jackiewicz [Fri, 24 Apr 2020 12:08:22 +0000 (14:08 +0200)]
Smack privilege tests with different configurations

Change-Id: I93138c69683dc910df44515d216b42f0b5855ff5

4 years agoFix smack privilege tests policy management 20/232820/1
Krzysztof Jackiewicz [Thu, 7 May 2020 20:05:04 +0000 (22:05 +0200)]
Fix smack privilege tests policy management

Because TEST_RUNNER_CHILD is used, the security-manager's policy is
being modified in individual processes. This leads to redundant
security-manager restarts and could leave security-manager with
improper policy after the test.

Manage the security-manager policy in the main process only.

Change-Id: I5d9924806f9ecdd28007f9cfd3ea3668e1a47a33

4 years agoUse TemporaryTestUser::getUidString where applicable 00/231900/12
Krzysztof Jackiewicz [Fri, 24 Apr 2020 19:51:37 +0000 (21:51 +0200)]
Use TemporaryTestUser::getUidString where applicable

Change-Id: I0663b3a29ca74eea2f5019319d857d03a0562885

4 years agoRemove package from pkgmgr-parser.db even when sm install fails 72/230072/3
Zofia Abramowska [Tue, 7 Apr 2020 15:59:43 +0000 (17:59 +0200)]
Remove package from pkgmgr-parser.db even when sm install fails

Change-Id: I645fc92a632f60a5891759b92a1da51ee5d3300d

4 years agoProvide configuration for smack-privilege tests 86/231586/18
Krzysztof Jackiewicz [Wed, 22 Apr 2020 11:17:29 +0000 (13:17 +0200)]
Provide configuration for smack-privilege tests

Security-manager has empty configuration for smack privileges by default. To
test this functionality smack privilege tests provide their own configurations.

Change-Id: I71028202f00eb159ee8d4df76041a25b4be188b1

4 years agoAdd new test scenario, where app is killed during policy change. 15/232315/3
Dariusz Michaluk [Thu, 30 Apr 2020 12:44:04 +0000 (14:44 +0200)]
Add new test scenario, where app is killed during policy change.

Change-Id: I9a57548b1f136f3612d8be5b1b2b6f64f335970d

4 years agoAdd smack-privilege tests 63/231163/22
Krzysztof Jackiewicz [Fri, 17 Apr 2020 12:34:05 +0000 (14:34 +0200)]
Add smack-privilege tests

Change-Id: Ic6b5535199e0b6095eda8539db847dc11aef356b

4 years agoAllow uid change in AppInstallHelper 10/231210/17
Krzysztof Jackiewicz [Mon, 20 Apr 2020 06:50:03 +0000 (08:50 +0200)]
Allow uid change in AppInstallHelper

Change-Id: I3d329b8afa481e90b367abbaeb80f20bd3cc2a45

4 years agoGroup privilege check refactoring 25/231025/20
Krzysztof Jackiewicz [Thu, 16 Apr 2020 20:18:49 +0000 (22:18 +0200)]
Group privilege check refactoring

Make the checking function a passive one. Do not change process suplementary
groups in it. Modify ScopedAppLauncher to perform the test in launched app.
Test group setting api in a separate test.

Change-Id: Iccc20810dad0b667f0f4007701bd0c99e5c99f83

4 years agoMake ScopedAppLauncher child always notify the parent 54/231254/15
Krzysztof Jackiewicz [Mon, 20 Apr 2020 13:18:10 +0000 (15:18 +0200)]
Make ScopedAppLauncher child always notify the parent

In case any of ScopedAppLauncher child process asserts fails, make sure the
parent is notified and displays the error properly.

Change-Id: I75bbe0e7781cf338b62a39de03fda8f305ae8d50

4 years agoCleanup namespace after app termination 48/231248/15
Krzysztof Jackiewicz [Mon, 20 Apr 2020 11:50:39 +0000 (13:50 +0200)]
Cleanup namespace after app termination

This API call is necessary to cleanup /var/run/user/ app links after app is
terminated. Security-manager detects running apps basing on these links
existence.

Change-Id: If4feb5d158deac30098d05230c9f7fca928eacd2

4 years agoCheck smack leftovers after uninstallation 76/230876/18
Krzysztof Jackiewicz [Wed, 15 Apr 2020 14:42:40 +0000 (16:42 +0200)]
Check smack leftovers after uninstallation

Not all smack rules are removed after user removal. It is due to improper
handling of hybridity update when apps are installed for different user than
the one passed in the update request.

Check it in security_manager_09_app. The check would fail. It has been marked
as "ignored" until proper fix lands in security-manager.

Change-Id: I7936d711e6a3f0dc14ecb405f35247b20f4cb37a

4 years agoAdd smack-privilege checkers to AppInstallHelperExt 33/229533/25
Krzysztof Jackiewicz [Thu, 23 Apr 2020 08:24:07 +0000 (10:24 +0200)]
Add smack-privilege checkers to AppInstallHelperExt

Change-Id: I814dc54983ebcd4c42db8e8fbca36df71e732f54

4 years agoAdd smack-privilege parsing to PolicyConfiguration 83/231683/10
Krzysztof Jackiewicz [Thu, 23 Apr 2020 09:46:21 +0000 (11:46 +0200)]
Add smack-privilege parsing to PolicyConfiguration

Change-Id: I9fa0b5b86138725cb9520379e25f71f82a3e43f7

4 years agoUnify privilege representation 99/231899/6
Krzysztof Jackiewicz [Fri, 24 Apr 2020 14:09:05 +0000 (16:09 +0200)]
Unify privilege representation

- Use common privilege names in all sm tests
- Remove ambigious/deprecated methods from AppInstallHelper
- Use PrivilegeVector instead of PolicyConfiguration::PrivVector in
  AppInstallHelper and related code
- Add privilege vectors instead of individual privileges where possible

Change-Id: I96cac9bacc8de271f9b9f9ceb7bf7c248fb26171

4 years agoExtend AppInstallHelper with checker methods 40/229940/15
Krzysztof Jackiewicz [Mon, 6 Apr 2020 15:35:56 +0000 (17:35 +0200)]
Extend AppInstallHelper with checker methods

Move app checkers to AppInstallHelper derived class. Too many arguments
have to be passed here and there. Writing new checkers is pain in the
back. There's still a lot to be improved. Testing framework has to be
adjusted to allow multiple apps in the package.

Change-Id: I4b363a6b0d102bd1df6ed8cce8494c884c8d088a

4 years agoAdd privilege names 98/231898/3
Krzysztof Jackiewicz [Fri, 24 Apr 2020 13:11:31 +0000 (15:11 +0200)]
Add privilege names

Also add new Privilege ctor to work with char* privilege names.

Change-Id: I8dd79e095bf118eb2f83b94182944a9eef0cfb11

4 years agoAdd rule file path getters to PolicyConfiguration 82/231682/2
Krzysztof Jackiewicz [Thu, 23 Apr 2020 09:48:12 +0000 (11:48 +0200)]
Add rule file path getters to PolicyConfiguration

Change-Id: If06e8ac749aeec23006ae5bd6d78b1658f13031e

4 years agoRemove unused shared ro template 56/231256/1
Krzysztof Jackiewicz [Tue, 31 Mar 2020 20:18:36 +0000 (22:18 +0200)]
Remove unused shared ro template

Change-Id: Ifd8f21e347934318edee10d9abc508ee902213df

4 years agoAvoid appId and pkgId copying in AppInstallHelper 14/229814/3
Krzysztof Jackiewicz [Fri, 3 Apr 2020 20:11:49 +0000 (22:11 +0200)]
Avoid appId and pkgId copying in AppInstallHelper

Change-Id: Ief63d53563143a18358b435a374685c9317ecbd7

4 years agoAdd ScopedAppLauncher 13/229813/2
Krzysztof Jackiewicz [Fri, 3 Apr 2020 20:00:22 +0000 (22:00 +0200)]
Add ScopedAppLauncher

Needed to check smack rules while app is running

Change-Id: I6ef63fc76dd27fb6119245541dc2fd9544ff98fe

4 years agoReplace magic policy level strings with constexpr 84/229684/2
Krzysztof Jackiewicz [Thu, 2 Apr 2020 12:41:59 +0000 (14:41 +0200)]
Replace magic policy level strings with constexpr

Change-Id: Ia539ec68d641448a8d84e175eb8efe2e888e6671

4 years agoRemove unused shared ro template 87/229387/2
Krzysztof Jackiewicz [Tue, 31 Mar 2020 20:18:36 +0000 (22:18 +0200)]
Remove unused shared ro template

Change-Id: Ifd8f21e347934318edee10d9abc508ee902213df

4 years agoFix nss tests 88/222588/5
Tomasz Swierczek [Thu, 16 Jan 2020 09:04:46 +0000 (10:04 +0100)]
Fix nss tests

Adjusted to new nss implementation where daemon set of groups
is always static.

Change-Id: I50974b1cce07b1ca77d0b42118042ae0210631fa

4 years agoMerge branch 'tizen' into security-manager 86/223086/1
Dariusz Michaluk [Wed, 22 Jan 2020 15:50:05 +0000 (16:50 +0100)]
Merge branch 'tizen' into security-manager

Change-Id: I6fb4dea8149fcd280c42a997c8f36ee8f8795e6f

4 years agoMerge branch 'tizen' into ckm 85/223085/1
Dariusz Michaluk [Wed, 22 Jan 2020 15:48:49 +0000 (16:48 +0100)]
Merge branch 'tizen' into ckm

Change-Id: I15cbe4302195ecaf5af4ce882126889db33a6f49

4 years agoCKM: Update Microsoft certificates 38/222838/3
Dariusz Michaluk [Mon, 20 Jan 2020 12:31:07 +0000 (13:31 +0100)]
CKM: Update Microsoft certificates

Change-Id: I1607f3be5179323bc50ba7d7806475637f70e5f7

4 years agoRevert assert removed in 6ee70830c0 82/223082/2
Dariusz Michaluk [Wed, 22 Jan 2020 15:19:26 +0000 (16:19 +0100)]
Revert assert removed in 6ee70830c0

Change-Id: I68e768e2f28f53bfc1984a4e41a7d1795fbe54ee

4 years agocynara-tests: replace select w/ poll 81/223081/1
Konrad Lipinski [Wed, 22 Jan 2020 15:04:50 +0000 (16:04 +0100)]
cynara-tests: replace select w/ poll

Change-Id: If7cf3efec5d0a38a6467a1dbea962c80820c6cd5

4 years agoFix for gcc 9 toolchain upgrade 69/223069/2
Dariusz Michaluk [Wed, 22 Jan 2020 12:48:09 +0000 (13:48 +0100)]
Fix for gcc 9 toolchain upgrade

Change-Id: I96c36e41b2048337faee2d683d1ffe9f44f91be2

4 years agoMerge branch 'ode' into tizen 67/223067/1
Dariusz Michaluk [Wed, 22 Jan 2020 12:28:51 +0000 (13:28 +0100)]
Merge branch 'ode' into tizen

Change-Id: I22e1736002482934b4a8f85c8eb6303ae02abfc6

4 years agoMerge branch 'nether' into tizen 65/223065/1
Dariusz Michaluk [Wed, 22 Jan 2020 12:24:42 +0000 (13:24 +0100)]
Merge branch 'nether' into tizen

Change-Id: If0dd79ca73bc75b14666067a8a11afd2680f7931

4 years agoMerge branch 'yaca' into tizen 62/223062/1
Dariusz Michaluk [Wed, 22 Jan 2020 12:18:47 +0000 (13:18 +0100)]
Merge branch 'yaca' into tizen

Change-Id: I240f8551fa276fe600dca2d1f098ddc636a9f905

4 years agoMerge branch 'ckm' into tizen 60/223060/1
Dariusz Michaluk [Wed, 22 Jan 2020 12:17:02 +0000 (13:17 +0100)]
Merge branch 'ckm' into tizen

Change-Id: Iac9d5cc6393e8598a33c783aabff77006046b187

4 years agoMerge branch 'security-manager' into tizen 54/223054/1
Dariusz Michaluk [Wed, 22 Jan 2020 11:53:48 +0000 (12:53 +0100)]
Merge branch 'security-manager' into tizen

Change-Id: I84d015537ad379d56d5d897dfe180080d5b6a687

4 years agoFix for gcc 9 toochain upgrade 20/223020/1
Tomasz Swierczek [Wed, 22 Jan 2020 06:11:29 +0000 (07:11 +0100)]
Fix for gcc 9 toochain upgrade

Change-Id: If7f8f1e4a00267661ebb66f53111eed9a3ed1460

4 years agoAdd prepareApp benchmark 03/222503/3 security-manager_5.5_testing
Konrad Lipinski [Wed, 15 Jan 2020 16:10:36 +0000 (17:10 +0100)]
Add prepareApp benchmark

Change-Id: Ia489e00a7ea6720191812d7a31a4e8d856d397e8

4 years agoFix shared_ro tests 38/219838/2
Zofia Grzelewska [Tue, 10 Dec 2019 14:11:27 +0000 (15:11 +0100)]
Fix shared_ro tests

Properly setup application context, before checking access
to sharedRO/nonSharedRO directories to apply mount namespaces.

Change-Id: Ied891a1cad6ad82402a995f5fc210a23fa1c09d9

4 years agoCKM: Test asymmetric key initial value import 57/216257/6
Konrad Lipinski [Tue, 1 Oct 2019 13:09:16 +0000 (15:09 +0200)]
CKM: Test asymmetric key initial value import

Change-Id: I48a977ee84602ab71b9889e39e79a004811f5f48

5 years agoAdd missing break in TestRunner 14/214914/1
Krzysztof Jackiewicz [Fri, 27 Sep 2019 10:41:38 +0000 (12:41 +0200)]
Add missing break in TestRunner

In a highly unlikey case of throwing the RUNNER_IGNORED_MSG during the test
finishing stage, after the SafeCleanup collected some exception handling
errors, these errors would be added to the ignore message.

Change-Id: I1aeedb46bf98b8300223a26c312abf98d63ca838

5 years agoMerge branch 'tizen' into 'ckm' 69/214169/1
Krzysztof Jackiewicz [Wed, 18 Sep 2019 13:12:09 +0000 (15:12 +0200)]
Merge branch 'tizen' into 'ckm'

Change-Id: If83694b3e0cd759296da5b920ec0adb50dcc54c2

5 years agoAdd SM test covering hybridity upgrade 59/209959/19
Alicja Kluczek [Thu, 4 Jul 2019 10:57:32 +0000 (12:57 +0200)]
Add SM test covering hybridity upgrade

Add functionality checking if there aren't any rules related
to app in Smack rules file (both for hybrid and non-hybrid package).
Apply above functionality every time when checking if
whole package has been uninstalled properly.
Add a test checking if Smack rules were properly deleted
after uninstall.

Change-Id: Ia638f478dc007a4ef42fe32e01a282dd960d50d7

5 years agoAdd SM tests covering many apps in single request 95/209295/35
Alicja Kluczek [Thu, 4 Jul 2019 10:57:32 +0000 (12:57 +0200)]
Add SM tests covering many apps in single request

Add tests covering installation & updating many apps in single request.
Add a function checking if an app has proper Smack policy.
Add a function parsing smack rules template files.
Add a function creating a new app in InstallRequest class.
Modify ScopedInstaller class for many apps in single request
compatibility.

Change-Id: I35bb9757f54b111629d45b1769ca4e53ccccd017

5 years agoAdjust prepareApp to use new API that sets up context for candidate process 03/212603/1
Tomasz Swierczek [Fri, 23 Aug 2019 06:51:07 +0000 (08:51 +0200)]
Adjust prepareApp to use new API that sets up context for candidate process

Change-Id: Ia0eb474cc21392aaf677b3e434903ed286094d30

5 years agoFix T9050_yaca_rsa_encryption_paddings test 94/210394/1
Dariusz Michaluk [Thu, 18 Jul 2019 15:10:21 +0000 (17:10 +0200)]
Fix T9050_yaca_rsa_encryption_paddings test

Change-Id: I2ae963ff203bff72e49a7d1c167695dbeb50ec19

5 years agoStop ode.socket together with ode.service 82/209182/3
Krzysztof Jackiewicz [Fri, 28 Jun 2019 16:00:22 +0000 (18:00 +0200)]
Stop ode.socket together with ode.service

Oded became socket activated. To test the connection refusal the
socket has to be put down as well.

Change-Id: Ifec50d1198ceeee7e5ac131715cbd8ca642427e5

5 years agoMerge branch 'tizen' into 'ode' 56/210256/1
Krzysztof Jackiewicz [Wed, 17 Jul 2019 08:52:17 +0000 (10:52 +0200)]
Merge branch 'tizen' into 'ode'

Change-Id: Ia15ecf4c082ffcf5dae47586fda10f7f48bab99c

5 years agoStart sockets before starting the service 68/209968/1
Krzysztof Jackiewicz [Fri, 12 Jul 2019 14:45:54 +0000 (16:45 +0200)]
Start sockets before starting the service

Change-Id: I154c3e208bac37aec7d80156a3623909c00ac891

5 years agoCKM: Handle onlycap even if trailing space is missing 84/209184/2
Krzysztof Jackiewicz [Wed, 3 Jul 2019 08:06:58 +0000 (10:06 +0200)]
CKM: Handle onlycap even if trailing space is missing

Change-Id: I45ee1a7f244662f80ec8eeaaf8141e1b4a52ad2c

5 years agoCKM: Update certificates for OCSP tests 46/209846/1
Krzysztof Jackiewicz [Thu, 11 Jul 2019 16:10:40 +0000 (18:10 +0200)]
CKM: Update certificates for OCSP tests

Change-Id: I1328e86de02a351f4c6f588685212dd1bb429bc1

5 years agoMigrate to openssl 1.1 73/206973/2
Konrad Lipinski [Wed, 29 May 2019 14:02:36 +0000 (16:02 +0200)]
Migrate to openssl 1.1

Change-Id: I5f63e3dfda3d5d4f007dd27d0faf41f3976aaebe

5 years agoCKM: Add buildtime requirement for openssl 87/208787/1
Krzysztof Jackiewicz [Fri, 28 Jun 2019 10:22:39 +0000 (12:22 +0200)]
CKM: Add buildtime requirement for openssl

Openssl is needed to perform buildtime encryption for TZ.

Change-Id: If5bdefa32dfd0ed26ea9f9e2318d8dc18a43677c

5 years agoCKM: Return proper error code from EIV encryption script 86/208786/1
Krzysztof Jackiewicz [Fri, 28 Jun 2019 10:15:15 +0000 (12:15 +0200)]
CKM: Return proper error code from EIV encryption script

The encryption script did not report an error if one of pipelined
commands failed.

Add few bash options that will make the script fail with proper error
code in such cases.

Change-Id: I47a9739af93f07d2cb0e20f22087a2c182de6835

5 years agoCKM: Handle the empty onlycap case properly 84/208784/1
Krzysztof Jackiewicz [Fri, 28 Jun 2019 09:39:32 +0000 (11:39 +0200)]
CKM: Handle the empty onlycap case properly

In case of empty onlycap the original process label was not restored
properly leading to failures in following tests.

Change-Id: I9e4cdce234b425887da07892773f21465087c4a6

5 years agoCKM: Adjust T1810_verify_get_certificate_chain to openssl1.1 90/207890/2
Krzysztof Jackiewicz [Thu, 13 Jun 2019 14:45:15 +0000 (16:45 +0200)]
CKM: Adjust T1810_verify_get_certificate_chain to openssl1.1

Since openssl1.1 all certificates in the chain (including trusted
ones) must include a 'basicConstrains' extension with 'CA' field set
to 'true'. Without that the verification will fail with
X509_V_ERR_INVALID_CA.

This commit recreates the chain of certificates used in T1810 with the
required extension included and updates related tests.

Change-Id: I6d2e9348a2ae6618103749d83e46a433608e65c3

5 years agoMerge branch 'tizen' into ode 32/207532/1
Dariusz Michaluk [Thu, 6 Jun 2019 11:33:21 +0000 (13:33 +0200)]
Merge branch 'tizen' into ode

Change-Id: Ic562abbef0de256d5f0f0697709de296d7d8c986

5 years agoMerge branch 'tizen' into yaca 30/207530/1
Dariusz Michaluk [Thu, 6 Jun 2019 11:20:29 +0000 (13:20 +0200)]
Merge branch 'tizen' into yaca

Change-Id: Ia99b4501adeb3cc939ad9c146026c8ace247fd6d

5 years agoAdd UTC test cases to security-tests for alias listing APIs 05/207505/1
Tomasz Swierczek [Tue, 4 Jun 2019 07:09:38 +0000 (09:09 +0200)]
Add UTC test cases to security-tests for alias listing APIs

These tests are needed to cover the ckmc layer for new APIs.

Change-Id: I816a02e0f54ed70982facfe125fd4264e615c673

5 years agoMerge branch 'tizen' into ckm 84/207284/1
Tomasz Swierczek [Fri, 31 May 2019 12:16:48 +0000 (14:16 +0200)]
Merge branch 'tizen' into ckm

Change-Id: Icec8c73670c995d05324b91a6c86088037acb75f

5 years agoFlush tests stdout 18/207218/1
Krzysztof Jackiewicz [Thu, 9 May 2019 12:03:23 +0000 (14:03 +0200)]
Flush tests stdout

Tests output is displayed in batches making it difficult to observe
the progress. This commit introduces flushing the stdout after every
printf to overcome the problem.

Change-Id: I84174a15e7bf797080b4f830fe5adaa3e48f6b26

5 years agoCKM: Remove ECDSA nohash tests 21/206421/1
Krzysztof Jackiewicz [Fri, 17 May 2019 12:55:18 +0000 (14:55 +0200)]
CKM: Remove ECDSA nohash tests

Hash algorithm is required for DSA and ECDSA. Tests have been
adjusted.

Change-Id: I9bc1d6dbfbcd876685de1c128f001c0644882235

5 years agoCKM: Fix big data tests on both backends 43/206343/1
Krzysztof Jackiewicz [Thu, 16 May 2019 14:09:13 +0000 (16:09 +0200)]
CKM: Fix big data tests on both backends

C API does not provide a possibility to enforce the backend. If TZ
backend is enabled in key-manager it will be used for storing big
data. TZ backend has size limitations and so the 5000000B buffer can't
be used. Add a test for big data using C++ API that allows backend
selection.

Change-Id: Id73dcdc9bfb6c02eedd32fc4c6d5637172dd3c52

5 years agoCKM: Add sign/verify test for both backends 94/203094/2
Krzysztof Jackiewicz [Thu, 4 Apr 2019 14:58:27 +0000 (16:58 +0200)]
CKM: Add sign/verify test for both backends

Add a generic signing/verification test runnable on both backends.

Change-Id: Ia0b646fd8cf1b256e82a5f12abf6c0940fca3c64

5 years agoCKM: Adjust GCM tag len tests to GP 66/202366/2
Krzysztof Jackiewicz [Wed, 27 Mar 2019 13:39:07 +0000 (14:39 +0100)]
CKM: Adjust GCM tag len tests to GP

According to GP API spec the shortest supported GCM tag length is 96
bits. Software backend allows shorter tags.

Expect error in case of tags shorter than 96 in TZ mode.

Change-Id: I3d716ab57670c735470c78069fb620edccc84daf

5 years agoCKM: Reduce big data size in TZ tests 62/202362/3
Krzysztof Jackiewicz [Wed, 27 Mar 2019 11:29:24 +0000 (12:29 +0100)]
CKM: Reduce big data size in TZ tests

The CFB big data encryption takes more than 20 minutes on TZ backend crossing
the key-manager's socket timeout as well as async API timeout and dramatically
extending the test duration. The reason is that CFB is not supported by GP API
and is implemented using multiple ECB encryption requests which takes a lot of
time.

Make big data size in TZ tests smaller.

Change-Id: Id02f5e49f18e1cdb18a245714fb4b79aeea93db8

5 years agoCKM: Remove all keys after encryption group is finished 00/202000/3
Krzysztof Jackiewicz [Thu, 21 Mar 2019 16:23:05 +0000 (17:23 +0100)]
CKM: Remove all keys after encryption group is finished

Removal of user's data removes only the rich OS database leaving objects created
by TA in secure OS storage. Objects have to be removed explicitly one by one.

Change-Id: I88053b7cd3638a0a168d925a4e903343833ed0bf

5 years agoCKM: Make encryption tests runnable on both backends 76/201976/4
Krzysztof Jackiewicz [Thu, 21 Mar 2019 09:21:38 +0000 (10:21 +0100)]
CKM: Make encryption tests runnable on both backends

Depending on the TZ_BACKEND define the encryption tests will be executed on SW
or TZ backend. Tests need to be adjusted to properly work in both cases.

Change-Id: Ib59553faa0bb70958a71ea965cefd469cc5a8ef7

5 years agoCKM: Remove CBC from integrity tests 74/201974/4
Krzysztof Jackiewicz [Wed, 20 Mar 2019 14:23:46 +0000 (15:23 +0100)]
CKM: Remove CBC from integrity tests

In case of CBC the tests that uses different key to decrypt the data may pass of
fail depending on the padding scheme and input data length. In other words, we
should not expect the CBC to fail if wrong key is used, yet in many cases it
does fail.

Change-Id: Ib213544b6349433c15346eb422cdbeea4f074544

5 years agoCKM: Prepare db & keys once per encryption group 72/201972/5
Krzysztof Jackiewicz [Tue, 19 Mar 2019 10:38:27 +0000 (11:38 +0100)]
CKM: Prepare db & keys once per encryption group

Database initialzation & cleanup (unlock, data removal) are only performed once
per encryption decryption test group.

Key generation in encryption decryption test group takes a lot of
time. Initialize the keys once for the group and reuse them.

Change-Id: Ibde172b4c3cfe4382c43302034aa1ee52d1355f6

5 years agoMerge branch 'tizen' into 'ckm' 71/201971/4
Krzysztof Jackiewicz [Thu, 4 Apr 2019 15:02:26 +0000 (17:02 +0200)]
Merge branch 'tizen' into 'ckm'

Change-Id: I187b2765fb572bc7a1963afb18794356b87305aa

5 years agoAdd group init/cleanup functionality 73/201773/4
Krzysztof Jackiewicz [Mon, 18 Mar 2019 17:08:06 +0000 (18:08 +0100)]
Add group init/cleanup functionality

Add possibility to launch an initialization and cleanup function before and
after a specific group of tests.

Disclaimer: this commit is supposed to quickly add necessary functionality
without making things worse. It does not cover any possible fixes of existing
code.

Change-Id: I7512ae77b7193f61e2dc5f72132a815c5d1da751

5 years agoCKM: Replace facebook certificate with microsoft one 63/202363/3
Krzysztof Jackiewicz [Wed, 27 Mar 2019 12:40:28 +0000 (13:40 +0100)]
CKM: Replace facebook certificate with microsoft one

Facebook certificate has expired. New one will expire in June. To avoid frequent
updates it has been replaced with MS certificate which is valid much longer.

Change-Id: I455485be19e0114d49ed5cca2f9095d77a179b02

5 years agoCKM: fix T3045_save_big_data_C_API test on TZ-backend 54/201454/2
Tomasz Swierczek [Thu, 14 Mar 2019 07:35:36 +0000 (08:35 +0100)]
CKM: fix T3045_save_big_data_C_API test on TZ-backend

TZ backend could possibly support less data in one chunk than data used
in the test; since ckmc API doesn't support setting backend, so in the test,
the size of data varies depending whether the code is compiled with "tz_backend" flag.

Change-Id: Ibd420d1fff67085cb809970b2596e01f992786f3

5 years agoCKM: Update old initial values tests
Krzysztof Jackiewicz [Tue, 4 Dec 2018 12:39:47 +0000 (13:39 +0100)]
CKM: Update old initial values tests

With introduction of support for initial values (including encrypted
ones) in key manager's TZ backend the xml scheme and the encryption
scheme has been changed. Also the SW backend does not handle encrypted
initial values. As a result the existing tests for initial values
started to fail.

To make them work again the following changes are introduced:
- Use version 2 in test xml files.
- Remove all code, files and xml elements related to encrypted initial
  values from old tests (T6001-T6999).
- Enable old initial values tests in an environment with no TZ support.
- Add a TODO list for initial values tests.

Change-Id: I1f9cb80b6080f628e2058c9165dfd424b0ad44d1

5 years agoFix empty argument issue in security-tests-all.sh
Krzysztof Jackiewicz [Fri, 1 Mar 2019 11:06:18 +0000 (12:06 +0100)]
Fix empty argument issue in security-tests-all.sh

If --noignored option is used in security-tests-all.sh an empty argument is
passed to security-tests.sh which causes an error.

Refactor security test scripts to avoid empty arguments.

Change-Id: Iedfe0d35a096334ec070167c870de2db01d64607

5 years agoGeneric solution for onlycap issues 08/200708/5
Krzysztof Jackiewicz [Fri, 1 Mar 2019 11:12:34 +0000 (12:12 +0100)]
Generic solution for onlycap issues

Once a process changes its smack label it may be unable to restore the original
one if onlycap is active and the new label is not in onlycap.

This commit provides a single class for handling process relabeling. The class
is able to restore the original process label even if onlycap is active. To do
so it stores the original onlycap value and original process label. The new
label is appended to current onlycap. When class is destroyed the old label and
old onlycap content is restored.

The drawback of this solution is that the relabeled process effectively gets
CAP_MAC_ADMIN.

The script for running ckm tests on onlycap has been removed.

All tests that do not directly test smack_set_label_for_self() use the new class
for process relabeling.

Change-Id: I0dda65fbd392f1b09061349061bdaf634efd9093

5 years agoMerge branches 'ckm', 'security-manager' and 'cynara' into 'tizen' 29/200729/2
Krzysztof Jackiewicz [Mon, 4 Mar 2019 09:13:17 +0000 (10:13 +0100)]
Merge branches 'ckm', 'security-manager' and 'cynara' into 'tizen'

This merge is necessary to introduce common changes to onlycap handling in a
following commit.

Change-Id: I78a26f9d4820067fca2f0bcc2ab7ce96f5d4e4e4

5 years agoCKM: Use proper application label prefix 05/200705/2
Krzysztof Jackiewicz [Thu, 28 Feb 2019 13:04:19 +0000 (14:04 +0100)]
CKM: Use proper application label prefix

Change-Id: I52452360de85dd550384ec109a4083ec4e6ff489

5 years agoReplace CKMErrorToString with APICodeToString 30/200230/7
Tomasz Swierczek [Wed, 20 Feb 2019 09:28:40 +0000 (10:28 +0100)]
Replace CKMErrorToString with APICodeToString

CKMErrorToString is not needed as key-manager just gained
almost exactly the same functionality in its ckm-error.h file.

Change-Id: I4150246e4779b7ec4a03e43eef38ec5593159f8e

5 years agoCKM: Add tests for new API: list alias with information about password protection 23/186023/6
Ernest Borowski [Fri, 23 Feb 2018 13:38:41 +0000 (14:38 +0100)]
CKM: Add tests for new API: list alias with information about password protection

Change-Id: Iae18e91e1a3335cd5ca55811d0edbfd98eee59c6
Signed-off-by: Ernest Borowski <e.borowski@partner.samsung.com>
5 years agoAdd sd-bus cynara API tests 08/191708/4
Monika Zielinska [Wed, 31 Oct 2018 08:44:45 +0000 (09:44 +0100)]
Add sd-bus cynara API tests

Change-Id: Ice5413156be6bd239be0898a5577b7f9ad6efcf7

5 years agoCKM: Extend encrypted initial values test 26/192126/7
Krzysztof Jackiewicz [Mon, 29 Oct 2018 15:54:27 +0000 (16:54 +0100)]
CKM: Extend encrypted initial values test

- Make it independent from other tests by adding initial values xml preparation,
  key-manager restart and db cleanup.
- Generate initial values at build time using ckm_initial_values tool.
- Install the tested xml file in test directory and copy it to initial values
  dir during the test instead of installing it there directly.
- Encrypt the test data using openssl and the same key that is passed as initial
  value during compilation instead of hardcoding the encryption results.
- Add build time dependency to util-linux to be able to use hexdump.
- Add build time dependency to key-manager-initial-values to be able to run the
  tool.

Change-Id: I7fe4be6a3493860244ac1cc1c0bb0dace5109a04

5 years agoAdd gbs option to enable the TZ backend support
Pawel Kowalski [Wed, 28 Nov 2018 10:51:13 +0000 (11:51 +0100)]
Add gbs option to enable the TZ backend support

To enable the TZ backend support add following option to the gbs build:
--define "tz_backend ON". If the option is not set or is set to value
different than ON, the TZ backend support is disabled (it is disabled by
default).
When the TZ backend is disabled, some tests (T6* and T7*) are not built.

The same option has been added to the key-manager (branch tizen).

The key-manager-ta requires the following gbs option for these tests to
work properly: --define "test_key ON".

Change-Id: If1c27d8ae556f6882f65c4ace8bb4c1759656893

6 years agoEncrypted initial values test 23/191023/4
Bartlomiej Grzelewski [Wed, 10 Oct 2018 13:02:46 +0000 (15:02 +0200)]
Encrypted initial values test

To use this test you must:
 * turn on tz_backend_enabled value in key-manager spec file
 * turn on attach_test_key value in key-manager-ta spec file
 * restart central-key-manager after security-tests installation

Change-Id: I2238bbc886fa33d6cad2f155f122a30cf35404b5

6 years agoODE API negative tests: internal encryption 14/182614/5
Pawel Kowalski [Mon, 25 Jun 2018 11:38:33 +0000 (13:38 +0200)]
ODE API negative tests: internal encryption

Change-Id: I4e342049e268bd17ed4367a1e998d38b0aa8b8ba