From 30c356c26c7bdebadd82f7d9c130bfd45438be37 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Mon, 3 Jul 2023 13:59:21 +0200 Subject: [PATCH] Modify decider logic Allow importing of all types of asymmetric keys to TZ backend. Add unit-test Change-Id: Iebbd0d5f37b4568b8c2473cdfe178d1ddad85a86 --- src/manager/crypto/platform/decider.cpp | 38 +++++--- src/manager/crypto/platform/decider.h | 6 +- unit-tests/CMakeLists.txt | 1 + unit-tests/test_decider.cpp | 156 ++++++++++++++++++++++++++++++++ 4 files changed, 185 insertions(+), 16 deletions(-) create mode 100644 unit-tests/test_decider.cpp diff --git a/src/manager/crypto/platform/decider.cpp b/src/manager/crypto/platform/decider.cpp index bdb976e..a1409d8 100644 --- a/src/manager/crypto/platform/decider.cpp +++ b/src/manager/crypto/platform/decider.cpp @@ -91,22 +91,26 @@ GStore* Decider::tryBackend(CryptoBackend backend) /* * operation encrypted type extractable backend * ---------------------------------------------- - * import FALSE binary - TZ/SW + * import FALSE binary * TZ/SW * skey FALSE TZ/SW * skey TRUE SW - * akey - SW - * cert - SW - * TRUE binary - TZ + * akey FALSE TZ/SW + * akey TRUE SW + * cert * SW + * ---------------------------------------------- + * import TRUE binary * TZ * skey FALSE TZ * skey TRUE NONE - * akey - NONE - * cert - NONE - * generate - binary - TZ/SW - * - cert - NONE - * - skey FALSE TZ/SW - * - skey TRUE SW - * - akey FALSE TZ/SW - * - akey TRUE SW + * akey FALSE TZ + * akey TRUE NONE + * cert * NONE + * ---------------------------------------------- + * generate N/A binary * TZ/SW + * skey FALSE TZ/SW + * skey TRUE SW + * akey FALSE TZ/SW + * akey TRUE SW + * cert * NONE */ std::deque Decider::getCompatibleBackends(DataType data, const Policy &policy, @@ -131,7 +135,7 @@ std::deque Decider::getCompatibleBackends(DataType data, if (!encrypted) addSW(); - if (data.isBinaryData() || (data.isSymmetricKey() && !policy.extractable)) + if (data.isBinaryData() || (data.isKey() && !policy.extractable)) addTZ(); } else { // generate/derive assert(!encrypted); @@ -160,9 +164,13 @@ GStore &Decider::getStore(DataType data, const Policy &policy, bool import, bool ThrowErr(Exc::Crypto::InternalError, "Failed to connect to a compatible backend."); } -bool Decider::checkStore(CryptoBackend requestedBackend, DataType data, const Policy &policy, bool import) +bool Decider::checkStore(CryptoBackend requestedBackend, + DataType data, + const Policy &policy, + bool import, + bool encrypted) { - auto backends = getCompatibleBackends(data, policy, import); + auto backends = getCompatibleBackends(data, policy, import, encrypted); for (auto id : backends) { if (id == requestedBackend) return true; diff --git a/src/manager/crypto/platform/decider.h b/src/manager/crypto/platform/decider.h index 47fb08d..e4c24fe 100644 --- a/src/manager/crypto/platform/decider.h +++ b/src/manager/crypto/platform/decider.h @@ -47,7 +47,11 @@ public: const Policy &policy, bool import = true, bool encrypted = false); - bool checkStore(CryptoBackend id, DataType data, const Policy &policy, bool import); + bool checkStore(CryptoBackend id, + DataType data, + const Policy &policy, + bool import, + bool encrypted = false); private: GStore* tryBackend(CryptoBackend backend); diff --git a/unit-tests/CMakeLists.txt b/unit-tests/CMakeLists.txt index 139836d..3f7ad2e 100644 --- a/unit-tests/CMakeLists.txt +++ b/unit-tests/CMakeLists.txt @@ -74,6 +74,7 @@ SET(UNIT_TESTS_SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/test_crypto-logic.cpp ${CMAKE_CURRENT_SOURCE_DIR}/test_data-type.cpp ${CMAKE_CURRENT_SOURCE_DIR}/test_db_crypto.cpp + ${CMAKE_CURRENT_SOURCE_DIR}/test_decider.cpp ${CMAKE_CURRENT_SOURCE_DIR}/test_descriptor-set.cpp ${CMAKE_CURRENT_SOURCE_DIR}/test_dpl-db.cpp ${CMAKE_CURRENT_SOURCE_DIR}/test_dpl-exception.cpp diff --git a/unit-tests/test_decider.cpp b/unit-tests/test_decider.cpp new file mode 100644 index 0000000..6328977 --- /dev/null +++ b/unit-tests/test_decider.cpp @@ -0,0 +1,156 @@ +/* + * Copyright (c) 2023 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include + +#include + +#include + +using namespace CKM; +using namespace CKM::Crypto; + +namespace { + +struct Mapping { + bool import; // true - import, false - generate + bool encrypted; + DataType type; + bool extractable; + bool swBackend; + bool tzBackend; +}; + +std::vector MAPPING { +// imp., enc., type, ext., SW, TZ + {true, false, DataType::BINARY_DATA, false, true, true }, + {true, false, DataType::BINARY_DATA, true, true, true }, + + {true, false, DataType::KEY_AES, false, true, true }, + {true, false, DataType::KEY_AES, true, true, false }, + + {true, false, DataType::KEY_RSA_PRIVATE, false, true, true }, + {true, false, DataType::KEY_RSA_PRIVATE, true, true, false }, + {true, false, DataType::KEY_RSA_PUBLIC, false, true, true }, + {true, false, DataType::KEY_RSA_PUBLIC, true, true, false }, + + {true, false, DataType::KEY_DSA_PRIVATE, false, true, true }, + {true, false, DataType::KEY_DSA_PRIVATE, true, true, false }, + {true, false, DataType::KEY_DSA_PUBLIC, false, true, true }, + {true, false, DataType::KEY_DSA_PUBLIC, true, true, false }, + + {true, false, DataType::KEY_ECDSA_PRIVATE, false, true, true }, + {true, false, DataType::KEY_ECDSA_PRIVATE, true, true, false }, + {true, false, DataType::KEY_ECDSA_PUBLIC, false, true, true }, + {true, false, DataType::KEY_ECDSA_PUBLIC, true, true, false }, + + {true, false, DataType::CERTIFICATE, false, true, false }, + {true, false, DataType::CERTIFICATE, true, true, false }, + + {true, false, DataType::CHAIN_CERT_0, false, true, false }, + {true, false, DataType::CHAIN_CERT_0, true, true, false }, + + + {true, true, DataType::BINARY_DATA, false, false, true }, + {true, true, DataType::BINARY_DATA, true, false, true }, + + {true, true, DataType::KEY_AES, false, false, true }, + {true, true, DataType::KEY_AES, true, false, false }, + + {true, true, DataType::KEY_RSA_PRIVATE, false, false, true }, + {true, true, DataType::KEY_RSA_PRIVATE, true, false, false }, + {true, true, DataType::KEY_RSA_PUBLIC, false, false, true }, + {true, true, DataType::KEY_RSA_PUBLIC, true, false, false }, + + {true, true, DataType::KEY_DSA_PRIVATE, false, false, true }, + {true, true, DataType::KEY_DSA_PRIVATE, true, false, false }, + {true, true, DataType::KEY_DSA_PUBLIC, false, false, true }, + {true, true, DataType::KEY_DSA_PUBLIC, true, false, false }, + + {true, true, DataType::KEY_ECDSA_PRIVATE, false, false, true }, + {true, true, DataType::KEY_ECDSA_PRIVATE, true, false, false }, + {true, true, DataType::KEY_ECDSA_PUBLIC, false, false, true }, + {true, true, DataType::KEY_ECDSA_PUBLIC, true, false, false }, + + {true, true, DataType::CERTIFICATE, false, false, false }, + {true, true, DataType::CERTIFICATE, true, false, false }, + + {true, true, DataType::CHAIN_CERT_0, false, false, false }, + {true, true, DataType::CHAIN_CERT_0, true, false, false }, + + + {false, false, DataType::BINARY_DATA, false, true, true }, + {false, false, DataType::BINARY_DATA, true, true, true }, + + {false, false, DataType::KEY_AES, false, true, true }, + {false, false, DataType::KEY_AES, true, true, false }, + + {false, false, DataType::KEY_RSA_PRIVATE, false, true, true }, + {false, false, DataType::KEY_RSA_PRIVATE, true, true, false }, + {false, false, DataType::KEY_RSA_PUBLIC, false, true, true }, + {false, false, DataType::KEY_RSA_PUBLIC, true, true, false }, + + {false, false, DataType::KEY_DSA_PRIVATE, false, true, true }, + {false, false, DataType::KEY_DSA_PRIVATE, true, true, false }, + {false, false, DataType::KEY_DSA_PUBLIC, false, true, true }, + {false, false, DataType::KEY_DSA_PUBLIC, true, true, false }, + + {false, false, DataType::KEY_ECDSA_PRIVATE, false, true, true }, + {false, false, DataType::KEY_ECDSA_PRIVATE, true, true, false }, + {false, false, DataType::KEY_ECDSA_PUBLIC, false, true, true }, + {false, false, DataType::KEY_ECDSA_PUBLIC, true, true, false }, + + {false, false, DataType::CERTIFICATE, false, false, false }, + {false, false, DataType::CERTIFICATE, true, false, false }, + + {false, false, DataType::CHAIN_CERT_0, false, false, false }, + {false, false, DataType::CHAIN_CERT_0, true, false, false }, +}; + +} // namespace + +BOOST_AUTO_TEST_SUITE(DECIDER_TEST) + +POSITIVE_TEST_CASE(MappingTest) +{ + Decider d; + bool ret; + for (const auto& row : MAPPING) { + Policy policy("", row.extractable); + + ret = d.checkStore(CryptoBackend::OpenSSL, row.type, policy, row.import, row.encrypted); + BOOST_REQUIRE(ret == row.swBackend); + + ret = d.checkStore(CryptoBackend::TrustZone, row.type, policy, row.import, row.encrypted); +#ifdef TZ_BACKEND_ENABLED + BOOST_REQUIRE(ret == row.tzBackend); +#else + BOOST_REQUIRE(ret == false); +#endif + + ret = d.checkStore(CryptoBackend::None, row.type, policy, row.import, row.encrypted); + BOOST_REQUIRE(ret == false); + + ret = d.checkStore(CryptoBackend::SecureElement, + row.type, + policy, + row.import, + row.encrypted); + BOOST_REQUIRE(ret == false); + } +} + +BOOST_AUTO_TEST_SUITE_END() -- 2.7.4