2 * Copyright (c) 2015 - 2019 Samsung Electronics Co.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @author Maciej Karpiuk (m.karpiuk2@samsung.com)
18 * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
21 #include <dpl/test/test_runner.h>
22 #include <dpl/test/test_runner_child.h>
23 #include <tests_common.h>
24 #include <ckm-common.h>
25 #include <ckm-privileged-common.h>
26 #include <ckm/ckm-control.h>
27 #include <ckm/ckm-manager.h>
28 #include <ckmc/ckmc-manager.h>
29 #include <access_provider2.h>
36 const uid_t USER_APP = 5070;
37 const uid_t GROUP_APP = 5070;
38 const char* APP_PASS = "user-pass";
40 const char *XML_1_okay = "XML_1_okay.xml";
41 std::string XML_1_EXPECTED_KEY_1_RSA = aliasWithLabel(ckmc_owner_id_system, "test-key1");
42 std::string XML_1_EXPECTED_KEY_1_PASSWD = "123";
43 std::string XML_1_EXPECTED_KEY_2_RSA = aliasWithLabel(ckmc_owner_id_system, "test-key2");
44 // uncomment when AES is supported (+ usage in the tests)
45 std::string XML_1_EXPECTED_KEY_3_AES = aliasWithLabel(ckmc_owner_id_system, "test-aes1");
46 std::string XML_1_EXPECTED_CERT_1 = aliasWithLabel(ckmc_owner_id_system, "test-cert1");
47 std::string XML_1_EXPECTED_DATA_1 = aliasWithLabel(ckmc_owner_id_system, "test-data1");
48 const char *XML_1_EXPECTED_DATA_1_DATA = "My secret data";
50 const char *XML_2_okay = "XML_2_okay.xml";
51 std::string XML_2_EXPECTED_KEY_1_RSA = aliasWithLabel(ckmc_owner_id_system, "test2-key1");
52 std::string XML_2_EXPECTED_KEY_2_RSA = aliasWithLabel(ckmc_owner_id_system, "test2-key2");
53 // uncomment when AES is supported
54 std::string XML_2_EXPECTED_KEY_3_AES = aliasWithLabel(ckmc_owner_id_system, "test2-aes1");
55 std::string XML_2_EXPECTED_CERT_1 = aliasWithLabel(ckmc_owner_id_system, "test2-cert1");
56 std::string XML_2_EXPECTED_DATA_1 = aliasWithLabel(ckmc_owner_id_system, "test2-data1");
57 const char *XML_2_EXPECTED_DATA_1_DATA = "My secret data";
59 const char *XML_3_wrong = "XML_3_wrong.xml";
60 std::string XML_3_EXPECTED_KEY_1_RSA = aliasWithLabel(ckmc_owner_id_system, "test3-key1");
61 std::string XML_3_EXPECTED_KEY_2_RSA = aliasWithLabel(ckmc_owner_id_system, "test3-key2");
62 // uncomment when AES is supported
63 std::string XML_3_EXPECTED_CERT_1 = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
64 std::string XML_3_EXPECTED_DATA_1 = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
66 auto format_dest_path(const char *file)
68 return std::string(CKM_RW_DATA_DIR "/initial_values/") + file;
71 void test_not_exists(const char *file) {
72 const auto name = format_dest_path(file);
73 const bool file_exists = access(name.c_str(), F_OK) != -1;
74 RUNNER_ASSERT_MSG(!file_exists, "File " << name << " exists");
77 void copy_file(const char *file)
79 const auto src = std::string(CKM_TEST_DIR) + file;
80 const auto dest = format_dest_path(file);
81 std::ifstream infile(src, std::ios_base::binary);
82 RUNNER_ASSERT_MSG(infile, "Input file " << src << " does not exist.");
83 std::ofstream outfile(dest, std::ios_base::binary);
84 RUNNER_ASSERT_MSG(outfile, "Output file " << dest << " does not exist. Reinstall key-manager.");
85 outfile << infile.rdbuf();
88 void restart_key_manager(const std::initializer_list<const char *> files_to_copy = {})
90 stop_service(MANAGER);
91 for (const auto f : files_to_copy)
93 start_service(MANAGER);
96 int hexToBin(char h) {
97 if (h >= '0' && h <= '9')
99 if (h >= 'a' && h <= 'f')
101 if (h >= 'A' && h <= 'F')
103 RUNNER_ASSERT_MSG(false, "Input out of scope");
106 CKM::RawBuffer hexToBin(std::string &hex) {
107 CKM::RawBuffer output;
108 output.resize(hex.size()/2);
109 for (size_t i=0; i<output.size(); ++i) {
110 output[i] = hexToBin(hex[i*2])*16 +
111 hexToBin(hex[i*2 + 1]);
118 RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
120 RUNNER_TEST(T6001_init)
124 // copy to the initial-values folder
125 // check XML file exists
126 // restart the key-manager
127 // check XML file doesn't exist
129 const auto files = {XML_1_okay, XML_2_okay, XML_3_wrong};
130 restart_key_manager(files);
131 for (const auto f : files)
135 RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP)
138 // check items existence as system service
140 // check items existence as TEST_LABEL
142 // check items existence as TEST_LABEL_2
146 check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
147 check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
148 check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
149 check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
150 check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
155 ScopedDBUnlock unlock(USER_APP, APP_PASS);
156 ScopedAccessProvider ap(TEST_LABEL);
157 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
159 check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
160 check_key_not_visible(XML_1_EXPECTED_KEY_2_RSA.c_str());
161 check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
162 check_cert_not_visible(XML_1_EXPECTED_CERT_1.c_str());
163 check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
168 ScopedDBUnlock unlock(USER_APP, APP_PASS);
169 ScopedAccessProvider ap(TEST_LABEL_2);
170 ap.applyAndSwithToUser(USER_APP, GROUP_APP);
172 check_key_not_visible(XML_1_EXPECTED_KEY_1_RSA.c_str());
173 check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
174 check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
175 check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
176 check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
180 RUNNER_TEST(T6020_PARSE_TWO_XML_FILES_AT_STARTUP)
183 // check items existence as system service
184 check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
185 check_key(XML_2_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
186 check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
187 check_key_allowed(XML_2_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
188 check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
189 check_key_allowed(XML_2_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
190 check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
191 check_cert_allowed(XML_2_EXPECTED_CERT_1.c_str());
192 check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
193 check_read_allowed(XML_2_EXPECTED_DATA_1.c_str(), XML_2_EXPECTED_DATA_1_DATA);
196 RUNNER_TEST(T6030_PARSE_FAIL_XML_AT_STARTUP)
199 // check items existence as system service - nothing should be available
200 check_key_not_visible(XML_3_EXPECTED_KEY_1_RSA.c_str());
201 check_key_not_visible(XML_3_EXPECTED_KEY_2_RSA.c_str());
202 check_cert_not_visible(XML_3_EXPECTED_CERT_1.c_str());
203 check_read_not_visible(XML_3_EXPECTED_DATA_1.c_str());
206 RUNNER_TEST(T6040_CHECK_KEYS_VALID)
209 // check if key can create & verify signature
210 ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
211 ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
212 ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
213 ckmc_raw_buffer_s *signature = NULL;
216 CKMC_ERROR_NONE == (temp = ckmc_create_signature(
217 XML_1_EXPECTED_KEY_2_RSA.c_str(),
223 CKMCReadableError(temp));
227 CKMC_ERROR_AUTHENTICATION_FAILED == (temp = ckmc_verify_signature(
228 XML_1_EXPECTED_KEY_1_RSA.c_str(),
234 CKMCReadableError(temp));
238 CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
239 XML_1_EXPECTED_KEY_1_RSA.c_str(),
240 XML_1_EXPECTED_KEY_1_PASSWD.c_str(),
245 CKMCReadableError(temp));
247 ckmc_buffer_free(signature);
250 RUNNER_TEST(T6999_deinit)
255 RUNNER_TEST_TZ_BACKEND(T7000_Encrypted_initial_values, RemoveDataEnv<0>)
258 std::string messageHex = EIV_ENCRYPTED_MESSAGE_HEX;
259 std::string iv = EIV_MESSAGE_ENCRYPTION_IV;
261 restart_key_manager({EIV_TEST_XML_FILENAME});
263 CKM::CryptoAlgorithm algo;
264 CKM::RawBuffer messageBin = hexToBin(messageHex);
265 CKM::RawBuffer ivBin(iv.begin(), iv.end());
266 CKM::RawBuffer decrypted;
268 algo.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::AES_CBC);
269 algo.setParam(CKM::ParamName::ED_IV, ivBin);
271 auto mgr = CKM::Manager::create();
272 RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->decrypt(algo, "/System TEI_0", CKM::Password(), messageBin, decrypted)), "Failed to decrypt " << CKM::APICodeToString(temp));
273 RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == EIV_PLAIN_MESSAGE, "Data does not match");
276 RUNNER_TEST_TZ_BACKEND(T7010_Encrypted_initial_values_asymmetric, RemoveDataEnv<0>)
278 restart_key_manager({EIV_TEST_ASYM_XML_FILENAME});
279 constexpr char testDataStr[] = "test-data";
280 const CKM::RawBuffer testData(testDataStr, testDataStr+sizeof(testDataStr)-1);
281 CKM::RawBuffer encrypted, decrypted, signature;
282 CKM::CryptoAlgorithm algoRsa;
283 algoRsa.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::RSA_OAEP);
285 auto mgr = CKM::Manager::create();
288 #define MGR(OP, ...) do { RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->OP(__VA_ARGS__)), "Failed to " #OP " " << CKM::APICodeToString(temp)); } while (0)
290 const auto rsaCrypt = [&](auto pub, auto prv) {
291 MGR(encrypt, algoRsa, pub, CKM::Password(), testData, encrypted);
292 RUNNER_ASSERT_MSG(testData != encrypted, "Data not encrypted");
293 MGR(decrypt, algoRsa, prv, CKM::Password(), encrypted, decrypted);
294 RUNNER_ASSERT_MSG(testData == decrypted, "Data does not match");
297 rsaCrypt("/System TEI_RSA_PUB", "/System TEI_RSA_PRV");
298 rsaCrypt("/System TEI_RSA_PKCS8_PUB", "/System TEI_RSA_PKCS8_PRV");
300 const auto sign = [&](auto prv, auto pub, auto hash, auto pad) {
301 MGR(createSignature, prv, CKM::Password(), testData, hash, pad, signature);
302 MGR(verifySignature, pub, CKM::Password(), testData, signature, hash, pad);
305 constexpr auto rsaHashAlgo = CKM::HashAlgorithm::SHA512;
306 constexpr auto rsaPaddingAlgo = CKM::RSAPaddingAlgorithm::X931;
307 sign("/System TEI_RSA_PRV", "/System TEI_RSA_PUB", rsaHashAlgo, rsaPaddingAlgo);
308 sign("/System TEI_RSA_PKCS8_PRV", "/System TEI_RSA_PKCS8_PUB", rsaHashAlgo, rsaPaddingAlgo);
309 sign("/System TEI_DSA_PRV", "/System TEI_DSA_PUB", CKM::HashAlgorithm::SHA1, CKM::RSAPaddingAlgorithm::NONE);
315 * - RW/RO location support (files removal, flag handling)
317 * - backend attribute support
318 * - independent tests
319 * - different formats (also encrypted)
320 * - complex tests using ckm-initial-values tool