src/ckm/privileged/initial-values.cpp

   1 /*
   2  *  Copyright (c) 2015 - 2019 Samsung Electronics Co.
   3  *
   4  *  Licensed under the Apache License, Version 2.0 (the "License");
   5  *  you may not use this file except in compliance with the License.
   6  *  You may obtain a copy of the License at
   7  *
   8  *      http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *  Unless required by applicable law or agreed to in writing, software
  11  *  distributed under the License is distributed on an "AS IS" BASIS,
  12  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *  See the License for the specific language governing permissions and
  14  *  limitations under the License
  15  *
  16  * @file       system-db.cpp
  17  * @author     Maciej Karpiuk (m.karpiuk2@samsung.com)
  18  * @author     Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
  19  * @version    1.0
  20  */
  21 #include <dpl/test/test_runner.h>
  22 #include <dpl/test/test_runner_child.h>
  23 #include <tests_common.h>
  24 #include <ckm-common.h>
  25 #include <ckm-privileged-common.h>
  26 #include <ckm/ckm-control.h>
  27 #include <ckm/ckm-manager.h>
  28 #include <ckmc/ckmc-manager.h>
  29 #include <access_provider2.h>
  30 #include <fstream>
  31 #include <ios>
  32 #include <unistd.h>
  33
  34 namespace
  35 {
  36 const uid_t USER_APP            = 5070;
  37 const uid_t GROUP_APP           = 5070;
  38 const char* APP_PASS            = "user-pass";
  39
  40 const char *XML_1_okay                  = "XML_1_okay.xml";
  41 std::string XML_1_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key1");
  42 std::string XML_1_EXPECTED_KEY_1_PASSWD = "123";
  43 std::string XML_1_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key2");
  44 // uncomment when AES is supported (+ usage in the tests)
  45 std::string XML_1_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test-aes1");
  46 std::string XML_1_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test-cert1");
  47 std::string XML_1_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test-data1");
  48 const char *XML_1_EXPECTED_DATA_1_DATA  = "My secret data";
  49
  50 const char *XML_2_okay                  = "XML_2_okay.xml";
  51 std::string XML_2_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key1");
  52 std::string XML_2_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key2");
  53 // uncomment when AES is supported
  54 std::string XML_2_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test2-aes1");
  55 std::string XML_2_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test2-cert1");
  56 std::string XML_2_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test2-data1");
  57 const char *XML_2_EXPECTED_DATA_1_DATA  = "My secret data";
  58
  59 const char *XML_3_wrong                 = "XML_3_wrong.xml";
  60 std::string XML_3_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key1");
  61 std::string XML_3_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key2");
  62 // uncomment when AES is supported
  63 std::string XML_3_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
  64 std::string XML_3_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
  65
  66 auto format_dest_path(const char *file)
  67 {
  68     return std::string(CKM_RW_DATA_DIR "/initial_values/") + file;
  69 }
  70
  71 void test_not_exists(const char *file) {
  72     const auto name = format_dest_path(file);
  73     const bool file_exists = access(name.c_str(), F_OK) != -1;
  74     RUNNER_ASSERT_MSG(!file_exists, "File " << name << " exists");
  75 }
  76
  77 void copy_file(const char *file)
  78 {
  79     const auto src = std::string(CKM_TEST_DIR) + file;
  80     const auto dest = format_dest_path(file);
  81     std::ifstream infile(src, std::ios_base::binary);
  82     RUNNER_ASSERT_MSG(infile, "Input file " << src << " does not exist.");
  83     std::ofstream outfile(dest, std::ios_base::binary);
  84     RUNNER_ASSERT_MSG(outfile, "Output file " << dest << " does not exist. Reinstall key-manager.");
  85     outfile << infile.rdbuf();
  86 }
  87
  88 void restart_key_manager(const std::initializer_list<const char *> files_to_copy = {})
  89 {
  90     stop_service(MANAGER);
  91     for (const auto f : files_to_copy)
  92         copy_file(f);
  93     start_service(MANAGER);
  94 }
  95
  96 int hexToBin(char h) {
  97     if (h >= '0' && h <= '9')
  98         return h - '0';
  99     if (h >= 'a' && h <= 'f')
 100         return h - 'a' + 10;
 101     if (h >= 'A' && h <= 'F')
 102         return h - 'A' + 10;
 103     RUNNER_ASSERT_MSG(false, "Input out of scope");
 104 }
 105
 106 CKM::RawBuffer hexToBin(std::string &hex) {
 107     CKM::RawBuffer output;
 108     output.resize(hex.size()/2);
 109     for (size_t i=0; i<output.size(); ++i) {
 110         output[i] = hexToBin(hex[i*2])*16 +
 111                     hexToBin(hex[i*2 + 1]);
 112     }
 113     return output;
 114 }
 115
 116 } // namespace
 117
 118 RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
 119
 120 RUNNER_TEST(T6001_init)
 121 {
 122     // [prepare]
 123     // remove database 0
 124     // copy to the initial-values folder
 125     // check XML file exists
 126     // restart the key-manager
 127     // check XML file doesn't exist
 128
 129     const auto files = {XML_1_okay, XML_2_okay, XML_3_wrong};
 130     restart_key_manager(files);
 131     for (const auto f : files)
 132         test_not_exists(f);
 133 }
 134
 135 RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP)
 136 {
 137     // [test1]
 138     // check items existence as system service
 139     // [test2]
 140     // check items existence as TEST_LABEL
 141     // [test3]
 142     // check items existence as TEST_LABEL_2
 143
 144     // [test1]
 145     {
 146         check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 147         check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 148         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 149         check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 150         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 151     }
 152
 153     // [test2]
 154     {
 155         ScopedDBUnlock unlock(USER_APP, APP_PASS);
 156         ScopedAccessProvider ap(TEST_LABEL);
 157         ap.applyAndSwithToUser(USER_APP, GROUP_APP);
 158
 159         check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 160         check_key_not_visible(XML_1_EXPECTED_KEY_2_RSA.c_str());
 161         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 162         check_cert_not_visible(XML_1_EXPECTED_CERT_1.c_str());
 163         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 164     }
 165
 166     // [test3]
 167     {
 168         ScopedDBUnlock unlock(USER_APP, APP_PASS);
 169         ScopedAccessProvider ap(TEST_LABEL_2);
 170         ap.applyAndSwithToUser(USER_APP, GROUP_APP);
 171
 172         check_key_not_visible(XML_1_EXPECTED_KEY_1_RSA.c_str());
 173         check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 174         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 175         check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 176         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 177     }
 178 }
 179
 180 RUNNER_TEST(T6020_PARSE_TWO_XML_FILES_AT_STARTUP)
 181 {
 182     // [test]
 183     // check items existence as system service
 184     check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 185     check_key(XML_2_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 186     check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 187     check_key_allowed(XML_2_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 188     check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 189     check_key_allowed(XML_2_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 190     check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 191     check_cert_allowed(XML_2_EXPECTED_CERT_1.c_str());
 192     check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 193     check_read_allowed(XML_2_EXPECTED_DATA_1.c_str(), XML_2_EXPECTED_DATA_1_DATA);
 194 }
 195
 196 RUNNER_TEST(T6030_PARSE_FAIL_XML_AT_STARTUP)
 197 {
 198     // [test]
 199     // check items existence as system service - nothing should be available
 200     check_key_not_visible(XML_3_EXPECTED_KEY_1_RSA.c_str());
 201     check_key_not_visible(XML_3_EXPECTED_KEY_2_RSA.c_str());
 202     check_cert_not_visible(XML_3_EXPECTED_CERT_1.c_str());
 203     check_read_not_visible(XML_3_EXPECTED_DATA_1.c_str());
 204 }
 205
 206 RUNNER_TEST(T6040_CHECK_KEYS_VALID)
 207 {
 208     // [test]
 209     // check if key can create & verify signature
 210     ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
 211     ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
 212     ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
 213     ckmc_raw_buffer_s *signature = NULL;
 214     int temp;
 215     RUNNER_ASSERT_MSG(
 216             CKMC_ERROR_NONE == (temp = ckmc_create_signature(
 217                     XML_1_EXPECTED_KEY_2_RSA.c_str(),
 218                     NULL,
 219                     msg_buff,
 220                     hash_algo,
 221                     pad_algo,
 222                     &signature)),
 223             CKMCReadableError(temp));
 224
 225     // invalid password
 226     RUNNER_ASSERT_MSG(
 227             CKMC_ERROR_AUTHENTICATION_FAILED == (temp = ckmc_verify_signature(
 228                         XML_1_EXPECTED_KEY_1_RSA.c_str(),
 229                         NULL,
 230                         msg_buff,
 231                         *signature,
 232                         hash_algo,
 233                         pad_algo)),
 234                 CKMCReadableError(temp));
 235
 236     // correct password
 237     RUNNER_ASSERT_MSG(
 238             CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
 239                     XML_1_EXPECTED_KEY_1_RSA.c_str(),
 240                     XML_1_EXPECTED_KEY_1_PASSWD.c_str(),
 241                     msg_buff,
 242                     *signature,
 243                     hash_algo,
 244                     pad_algo)),
 245             CKMCReadableError(temp));
 246
 247     ckmc_buffer_free(signature);
 248 }
 249
 250 RUNNER_TEST(T6999_deinit)
 251 {
 252     remove_user_data(0);
 253 }
 254
 255 RUNNER_TEST_TZ_BACKEND(T7000_Encrypted_initial_values, RemoveDataEnv<0>)
 256 {
 257     int temp;
 258     std::string messageHex = EIV_ENCRYPTED_MESSAGE_HEX;
 259     std::string iv         = EIV_MESSAGE_ENCRYPTION_IV;
 260
 261     restart_key_manager({EIV_TEST_XML_FILENAME});
 262
 263     CKM::CryptoAlgorithm algo;
 264     CKM::RawBuffer messageBin = hexToBin(messageHex);
 265     CKM::RawBuffer ivBin(iv.begin(), iv.end());
 266     CKM::RawBuffer decrypted;
 267
 268     algo.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::AES_CBC);
 269     algo.setParam(CKM::ParamName::ED_IV, ivBin);
 270
 271     auto mgr = CKM::Manager::create();
 272     RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->decrypt(algo, "/System TEI_0", CKM::Password(), messageBin, decrypted)), "Failed to decrypt " << CKM::APICodeToString(temp));
 273     RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == EIV_PLAIN_MESSAGE, "Data does not match");
 274 }
 275
 276 RUNNER_TEST_TZ_BACKEND(T7010_Encrypted_initial_values_asymmetric, RemoveDataEnv<0>)
 277 {
 278     restart_key_manager({EIV_TEST_ASYM_XML_FILENAME});
 279     constexpr char testDataStr[] = "test-data";
 280     const CKM::RawBuffer testData(testDataStr, testDataStr+sizeof(testDataStr)-1);
 281     CKM::RawBuffer encrypted, decrypted, signature;
 282     CKM::CryptoAlgorithm algoRsa;
 283     algoRsa.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::RSA_OAEP);
 284
 285     auto mgr = CKM::Manager::create();
 286     int temp;
 287
 288     #define MGR(OP, ...) do { RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->OP(__VA_ARGS__)), "Failed to " #OP " " << CKM::APICodeToString(temp)); } while (0)
 289
 290     const auto rsaCrypt = [&](auto pub, auto prv) {
 291         MGR(encrypt, algoRsa, pub, CKM::Password(), testData, encrypted);
 292         RUNNER_ASSERT_MSG(testData != encrypted, "Data not encrypted");
 293         MGR(decrypt, algoRsa, prv, CKM::Password(), encrypted, decrypted);
 294         RUNNER_ASSERT_MSG(testData == decrypted, "Data does not match");
 295     };
 296
 297     rsaCrypt("/System TEI_RSA_PUB", "/System TEI_RSA_PRV");
 298     rsaCrypt("/System TEI_RSA_PKCS8_PUB", "/System TEI_RSA_PKCS8_PRV");
 299
 300     const auto sign = [&](auto prv, auto pub, auto hash, auto pad) {
 301         MGR(createSignature, prv, CKM::Password(), testData, hash, pad, signature);
 302         MGR(verifySignature, pub, CKM::Password(), testData, signature, hash, pad);
 303     };
 304
 305     constexpr auto rsaHashAlgo = CKM::HashAlgorithm::SHA512;
 306     constexpr auto rsaPaddingAlgo = CKM::RSAPaddingAlgorithm::X931;
 307     sign("/System TEI_RSA_PRV", "/System TEI_RSA_PUB", rsaHashAlgo, rsaPaddingAlgo);
 308     sign("/System TEI_RSA_PKCS8_PRV", "/System TEI_RSA_PKCS8_PUB", rsaHashAlgo, rsaPaddingAlgo);
 309     sign("/System TEI_DSA_PRV", "/System TEI_DSA_PUB", CKM::HashAlgorithm::SHA1, CKM::RSAPaddingAlgorithm::NONE);
 310
 311     #undef MGR
 312 }
 313
 314 /* TODO
 315  * - RW/RO location support (files removal, flag handling)
 316  * - item overwrite
 317  * - backend attribute support
 318  * - independent tests
 319  * - different formats (also encrypted)
 320  * - complex tests using ckm-initial-values tool
 321  */