src/ckm/privileged/initial-values.cpp

   1 /*
   2  *  Copyright (c) 2000 - 2015 Samsung Electronics Co.
   3  *
   4  *  Licensed under the Apache License, Version 2.0 (the "License");
   5  *  you may not use this file except in compliance with the License.
   6  *  You may obtain a copy of the License at
   7  *
   8  *      http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *  Unless required by applicable law or agreed to in writing, software
  11  *  distributed under the License is distributed on an "AS IS" BASIS,
  12  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *  See the License for the specific language governing permissions and
  14  *  limitations under the License
  15  *
  16  * @file       system-db.cpp
  17  * @author     Maciej Karpiuk (m.karpiuk2@samsung.com)
  18  * @version    1.0
  19  */
  20 #include <dpl/test/test_runner.h>
  21 #include <dpl/test/test_runner_child.h>
  22 #include <tests_common.h>
  23 #include <ckm-common.h>
  24 #include <ckm-privileged-common.h>
  25 #include <ckm/ckm-control.h>
  26 #include <ckm/ckm-manager.h>
  27 #include <ckmc/ckmc-manager.h>
  28 #include <access_provider2.h>
  29 #include <fstream>
  30 #include <ios>
  31 #include <unistd.h>
  32
  33 namespace
  34 {
  35 const uid_t USER_APP            = 5070;
  36 const uid_t GROUP_APP           = 5070;
  37 const char* APP_PASS            = "user-pass";
  38
  39 const char *XML_DEVICE_KEY              = "device_key.xml";
  40
  41 const char *XML_1_okay                  = "XML_1_okay.xml";
  42 std::string XML_1_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key1");
  43 std::string XML_1_EXPECTED_KEY_1_PASSWD = "123";
  44 std::string XML_1_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key2");
  45 // uncomment when AES is supported (+ usage in the tests)
  46 std::string XML_1_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test-aes1");
  47 std::string XML_1_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test-cert1");
  48 std::string XML_1_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test-data1");
  49 const char *XML_1_EXPECTED_DATA_1_DATA  = "My secret data";
  50 // encrypted
  51 std::string XML_1_EXPECTED_KEY_3_RSA_PRV    = aliasWithLabel(ckmc_owner_id_system, "test-encryption-prv");
  52 std::string XML_1_EXPECTED_KEY_3_RSA_PUB    = aliasWithLabel(ckmc_owner_id_system, "test-encryption-pub");
  53 std::string XML_1_EXPECTED_ASCII_DATA       = aliasWithLabel(ckmc_owner_id_system, "test-ascii-data-encryption");
  54 std::string XML_1_EXPECTED_BIG_DATA         = aliasWithLabel(ckmc_owner_id_system, "test-binary-data-encryption");
  55
  56 const char *XML_2_okay                  = "XML_2_okay.xml";
  57 std::string XML_2_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key1");
  58 std::string XML_2_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key2");
  59 // uncomment when AES is supported
  60 std::string XML_2_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test2-aes1");
  61 std::string XML_2_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test2-cert1");
  62 std::string XML_2_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test2-data1");
  63 const char *XML_2_EXPECTED_DATA_1_DATA  = "My secret data";
  64
  65 const char *XML_3_wrong                 = "XML_3_wrong.xml";
  66 std::string XML_3_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key1");
  67 std::string XML_3_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key2");
  68 // uncomment when AES is supported
  69 std::string XML_3_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
  70 std::string XML_3_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
  71
  72 std::string format_src_path(const char *file)
  73 {
  74     return std::string(CKM_TEST_DIR) + std::string(file);
  75 }
  76
  77 std::string format_dest_key_path(const char *file)
  78 {
  79     return std::string(CKM_RW_DATA_DIR) + std::string(file);
  80 }
  81
  82 std::string format_dest_path(const char *file)
  83 {
  84     return std::string(CKM_RW_DATA_DIR) + std::string( "/initial_values/") + std::string(file);
  85 }
  86
  87 void copy_file(const std::string &from, const std::string &to)
  88 {
  89     std::ifstream infile(from, std::ios_base::binary);
  90     RUNNER_ASSERT_MSG(infile, "Input file " << from << " does not exist.");
  91     std::ofstream outfile(to, std::ios_base::binary);
  92     RUNNER_ASSERT_MSG(outfile, "Output file " << to << " does not exist. Reinstall key-manager.");
  93     outfile << infile.rdbuf();
  94 }
  95
  96 void restart_key_manager()
  97 {
  98     stop_service(MANAGER);
  99     start_service(MANAGER);
 100 }
 101
 102 void test_exists(const std::string& name, bool expected) {
 103     bool file_exists = (access( name.c_str(), F_OK ) != -1);
 104     RUNNER_ASSERT_MSG(file_exists == expected,
 105                       "File " << name << " status: " << file_exists <<
 106                       " while expected: " << expected);
 107 }
 108
 109 }
 110
 111 int hexToBin(char h) {
 112     if (h >= '0' && h <= '9')
 113         return h - '0';
 114     if (h >= 'a' && h <= 'f')
 115         return h - 'a' + 10;
 116     if (h >= 'A' && h <= 'F')
 117         return h - 'A' + 10;
 118     RUNNER_ASSERT_MSG(false, "Input out of scope");
 119 }
 120
 121 CKM::RawBuffer hexToBin(std::string &hex) {
 122     CKM::RawBuffer output;
 123     output.resize(hex.size()/2);
 124     for (size_t i=0; i<output.size(); ++i) {
 125         output[i] = hexToBin(hex[i*2])*16 +
 126                     hexToBin(hex[i*2 + 1]);
 127     }
 128     return output;
 129 }
 130
 131 RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
 132
 133 RUNNER_TEST(T6001_init)
 134 {
 135     // [prepare]
 136     // remove database 0
 137     // copy to the initial-values folder
 138     // check XML file exists
 139     // restart the key-manager
 140     // check XML file doesn't exist
 141
 142     copy_file(format_src_path(XML_DEVICE_KEY), format_dest_key_path(XML_DEVICE_KEY));
 143     copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
 144     copy_file(format_src_path(XML_2_okay), format_dest_path(XML_2_okay));
 145     copy_file(format_src_path(XML_3_wrong), format_dest_path(XML_3_wrong));
 146
 147     test_exists(format_dest_path(XML_1_okay), true);
 148     test_exists(format_dest_path(XML_2_okay), true);
 149     test_exists(format_dest_path(XML_3_wrong), true);
 150
 151     restart_key_manager();
 152
 153     test_exists(format_dest_path(XML_1_okay), false);
 154     test_exists(format_dest_path(XML_2_okay), false);
 155     test_exists(format_dest_path(XML_3_wrong), false);
 156 }
 157
 158 RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP)
 159 {
 160     // [test1]
 161     // check items existence as system service
 162     // [test2]
 163     // check items existence as TEST_LABEL
 164     // [test3]
 165     // check items existence as TEST_LABEL_2
 166
 167     // [test1]
 168     {
 169         check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 170         check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 171         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 172         check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 173         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 174     }
 175
 176     // [test2]
 177     {
 178         ScopedDBUnlock unlock(USER_APP, APP_PASS);
 179         ScopedAccessProvider ap(TEST_LABEL);
 180         ap.applyAndSwithToUser(USER_APP, GROUP_APP);
 181
 182         check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 183         check_key_not_visible(XML_1_EXPECTED_KEY_2_RSA.c_str());
 184         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 185         check_cert_not_visible(XML_1_EXPECTED_CERT_1.c_str());
 186         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 187     }
 188
 189     // [test3]
 190     {
 191         ScopedDBUnlock unlock(USER_APP, APP_PASS);
 192         ScopedAccessProvider ap(TEST_LABEL_2);
 193         ap.applyAndSwithToUser(USER_APP, GROUP_APP);
 194
 195         check_key_not_visible(XML_1_EXPECTED_KEY_1_RSA.c_str());
 196         check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 197         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 198         check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 199         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 200     }
 201 }
 202
 203 RUNNER_TEST(T6020_PARSE_TWO_XML_FILES_AT_STARTUP)
 204 {
 205     // [test]
 206     // check items existence as system service
 207     check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 208     check_key(XML_2_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 209     check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 210     check_key_allowed(XML_2_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 211     check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 212     check_key_allowed(XML_2_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 213     check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 214     check_cert_allowed(XML_2_EXPECTED_CERT_1.c_str());
 215     check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 216     check_read_allowed(XML_2_EXPECTED_DATA_1.c_str(), XML_2_EXPECTED_DATA_1_DATA);
 217 }
 218
 219 RUNNER_TEST(T6030_PARSE_FAIL_XML_AT_STARTUP)
 220 {
 221     // [test]
 222     // check items existence as system service - nothing should be available
 223     check_key_not_visible(XML_3_EXPECTED_KEY_1_RSA.c_str());
 224     check_key_not_visible(XML_3_EXPECTED_KEY_2_RSA.c_str());
 225     check_cert_not_visible(XML_3_EXPECTED_CERT_1.c_str());
 226     check_read_not_visible(XML_3_EXPECTED_DATA_1.c_str());
 227 }
 228
 229 RUNNER_TEST(T6040_CHECK_KEYS_VALID)
 230 {
 231     // [test]
 232     // check if key can create & verify signature
 233     ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
 234     ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
 235     ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
 236     ckmc_raw_buffer_s *signature = NULL;
 237     int temp;
 238     RUNNER_ASSERT_MSG(
 239             CKMC_ERROR_NONE == (temp = ckmc_create_signature(
 240                     XML_1_EXPECTED_KEY_2_RSA.c_str(),
 241                     NULL,
 242                     msg_buff,
 243                     hash_algo,
 244                     pad_algo,
 245                     &signature)),
 246             CKMCReadableError(temp));
 247
 248     // invalid password
 249     RUNNER_ASSERT_MSG(
 250             CKMC_ERROR_AUTHENTICATION_FAILED == (temp = ckmc_verify_signature(
 251                         XML_1_EXPECTED_KEY_1_RSA.c_str(),
 252                         NULL,
 253                         msg_buff,
 254                         *signature,
 255                         hash_algo,
 256                         pad_algo)),
 257                 CKMCReadableError(temp));
 258
 259     // correct password
 260     RUNNER_ASSERT_MSG(
 261             CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
 262                     XML_1_EXPECTED_KEY_1_RSA.c_str(),
 263                     XML_1_EXPECTED_KEY_1_PASSWD.c_str(),
 264                     msg_buff,
 265                     *signature,
 266                     hash_algo,
 267                     pad_algo)),
 268             CKMCReadableError(temp));
 269
 270     ckmc_buffer_free(signature);
 271 }
 272
 273 RUNNER_TEST(T6050_ENCRYPTED_KEY)
 274 {
 275     // [prepare]
 276     // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
 277     // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
 278     // [test0]
 279     // check if encrypted private key is present
 280     // check if public key is present
 281     // [test1]
 282     // extract the private, encrypted key
 283     // extract the public key
 284     // create signature using the public key
 285     // verify signature using the decrypted private key
 286
 287     // [test0]
 288     check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(), CKMC_KEY_RSA_PRIVATE);
 289     check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(), CKMC_KEY_RSA_PUBLIC);
 290
 291
 292     ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
 293     ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
 294     ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
 295     ckmc_raw_buffer_s *signature = NULL;
 296     int temp;
 297     RUNNER_ASSERT_MSG(
 298             CKMC_ERROR_NONE == (temp = ckmc_create_signature(
 299                     XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(),
 300                     NULL,
 301                     msg_buff,
 302                     hash_algo,
 303                     pad_algo,
 304                     &signature)),
 305             CKMCReadableError(temp));
 306
 307     // invalid password
 308     RUNNER_ASSERT_MSG(
 309             CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
 310                         XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(),
 311                         NULL,
 312                         msg_buff,
 313                         *signature,
 314                         hash_algo,
 315                         pad_algo)),
 316                 CKMCReadableError(temp));
 317
 318     ckmc_buffer_free(signature);
 319 }
 320
 321 RUNNER_TEST(T6060_ENCRYPTED_ASCII_DATA)
 322 {
 323     // [prepare]
 324     // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
 325     // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
 326     // [test0]
 327     // extract data
 328     // check if data matches the expected size and content
 329
 330     // [test0]
 331     ckmc_raw_buffer_s *testData1;
 332     int temp;
 333     RUNNER_ASSERT_MSG(
 334             CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_ASCII_DATA.c_str(), NULL, &testData1)),
 335             CKMCReadableError(temp));
 336     size_t expected_len = 15;
 337     RUNNER_ASSERT_MSG(expected_len /* src/ckm/keys/EIV/ascii_data */ == testData1->size, "invalid data size");
 338     RUNNER_ASSERT_MSG(memcmp(reinterpret_cast<char*>(testData1->data), "My secret data\n", expected_len) == 0, "invalid data contents");
 339     ckmc_buffer_free(testData1);
 340 }
 341
 342 RUNNER_TEST(T6070_ENCRYPTED_BIG_DATA)
 343 {
 344     // [prepare]
 345     // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
 346     // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
 347     // [test0]
 348     // extract data
 349     // check if data matches the expected size
 350
 351     // [test0]
 352     ckmc_raw_buffer_s *testData1;
 353     int temp;
 354     RUNNER_ASSERT_MSG(
 355             CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_BIG_DATA.c_str(), NULL, &testData1)),
 356             CKMCReadableError(temp));
 357     RUNNER_ASSERT_MSG(5918 /* src/ckm/keys/EIV/code.png */ == testData1->size, "invalid data size");
 358     ckmc_buffer_free(testData1);
 359 }
 360
 361 RUNNER_TEST(T6999_deinit)
 362 {
 363     remove_user_data(0);
 364 }
 365
 366 RUNNER_TEST(T7000_Encrypted_initial_values)
 367 {
 368     int temp;
 369     std::string message  = "16c9efbc342777c0e36d59019582d59be8385bdea5497cf092f99ce5430498e9";
 370     std::string iv       = "6162636465666768696a6b6c6d6e6f70";
 371
 372     std::string expected = "ShortTestMessage";
 373
 374     CKM::CryptoAlgorithm algo;
 375     CKM::RawBuffer messageBin = hexToBin(message);
 376     CKM::RawBuffer ivBin = hexToBin(iv);
 377     CKM::RawBuffer decrypted;
 378
 379     algo.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::AES_CBC);
 380     algo.setParam(CKM::ParamName::ED_IV, ivBin);
 381
 382     auto mgr = CKM::Manager::create();
 383     RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->decrypt(algo, "/System TEI_0", CKM::Password(), messageBin, decrypted)), "Failed to decrypt " << CKMErrorToString(temp));
 384     RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == expected, "Data does not match");
 385 }
 386