src/ckm/privileged/initial-values.cpp

   1 /*
   2  *  Copyright (c) 2015 - 2020 Samsung Electronics Co.
   3  *
   4  *  Licensed under the Apache License, Version 2.0 (the "License");
   5  *  you may not use this file except in compliance with the License.
   6  *  You may obtain a copy of the License at
   7  *
   8  *      http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *  Unless required by applicable law or agreed to in writing, software
  11  *  distributed under the License is distributed on an "AS IS" BASIS,
  12  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *  See the License for the specific language governing permissions and
  14  *  limitations under the License
  15  *
  16  * @file       system-db.cpp
  17  * @author     Maciej Karpiuk (m.karpiuk2@samsung.com)
  18  * @author     Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
  19  * @version    1.0
  20  */
  21 #include <dpl/test/test_runner.h>
  22 #include <dpl/test/test_runner_child.h>
  23 #include <tests_common.h>
  24 #include <ckm-common.h>
  25 #include <ckm-privileged-common.h>
  26 #include <ckm/ckm-control.h>
  27 #include <ckm/ckm-manager.h>
  28 #include <ckmc/ckmc-manager.h>
  29 #include <access_provider2.h>
  30 #include <fstream>
  31 #include <ios>
  32 #include <unistd.h>
  33
  34 namespace
  35 {
  36 const uid_t USER_APP            = 5070;
  37 const uid_t GROUP_APP           = 5070;
  38 const char* APP_PASS            = "user-pass";
  39
  40 const char *XML_1_okay                  = "XML_1_okay.xml";
  41 std::string XML_1_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key1");
  42 std::string XML_1_EXPECTED_KEY_1_PASSWD = "123";
  43 std::string XML_1_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key2");
  44 // uncomment when AES is supported (+ usage in the tests)
  45 std::string XML_1_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test-aes1");
  46 std::string XML_1_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test-cert1");
  47 std::string XML_1_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test-data1");
  48 const char *XML_1_EXPECTED_DATA_1_DATA  = "My secret data";
  49
  50 const char *XML_2_okay                  = "XML_2_okay.xml";
  51 std::string XML_2_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key1");
  52 std::string XML_2_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key2");
  53 // uncomment when AES is supported
  54 std::string XML_2_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "test2-aes1");
  55 std::string XML_2_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test2-cert1");
  56 std::string XML_2_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test2-data1");
  57 const char *XML_2_EXPECTED_DATA_1_DATA  = "My secret data";
  58
  59 const char *XML_3_wrong                 = "XML_3_wrong.xml";
  60 std::string XML_3_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key1");
  61 std::string XML_3_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "test3-key2");
  62 // uncomment when AES is supported
  63 std::string XML_3_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
  64 std::string XML_3_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
  65
  66 auto format_dest_path(const char *file)
  67 {
  68     return std::string(CKM_RW_DATA_DIR "/initial_values/") + file;
  69 }
  70
  71 void test_not_exists(const char *file) {
  72     const auto name = format_dest_path(file);
  73     const bool file_exists = access(name.c_str(), F_OK) != -1;
  74     RUNNER_ASSERT_MSG(!file_exists, "File " << name << " exists");
  75 }
  76
  77 void copy_file(const char *file)
  78 {
  79     const auto src = std::string(CKM_TEST_DIR) + file;
  80     const auto dest = format_dest_path(file);
  81     std::ifstream infile(src, std::ios_base::binary);
  82     RUNNER_ASSERT_MSG(infile, "Input file " << src << " does not exist.");
  83     std::ofstream outfile(dest, std::ios_base::binary);
  84     RUNNER_ASSERT_MSG(outfile, "Output file " << dest << " does not exist. Reinstall key-manager.");
  85     outfile << infile.rdbuf();
  86 }
  87
  88 void restart_key_manager(const std::initializer_list<const char *> files_to_copy = {})
  89 {
  90     stop_service(MANAGER);
  91     for (const auto f : files_to_copy)
  92         copy_file(f);
  93     start_service(MANAGER);
  94 }
  95
  96 int hexToBin(char h) {
  97     if (h >= '0' && h <= '9')
  98         return h - '0';
  99     if (h >= 'a' && h <= 'f')
 100         return h - 'a' + 10;
 101     if (h >= 'A' && h <= 'F')
 102         return h - 'A' + 10;
 103     RUNNER_ASSERT_MSG(false, "Input out of scope");
 104 }
 105
 106 CKM::RawBuffer hexToBin(std::string &hex) {
 107     CKM::RawBuffer output;
 108     output.resize(hex.size()/2);
 109     for (size_t i=0; i<output.size(); ++i) {
 110         output[i] = hexToBin(hex[i*2])*16 +
 111                     hexToBin(hex[i*2 + 1]);
 112     }
 113     return output;
 114 }
 115
 116 } // namespace
 117
 118 RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
 119
 120 RUNNER_TEST(T6001_init)
 121 {
 122     // [prepare]
 123     // remove database 0
 124     // copy to the initial-values folder
 125     // check XML file exists
 126     // restart the key-manager
 127     // check XML file doesn't exist
 128
 129     const auto files = {XML_1_okay, XML_2_okay, XML_3_wrong};
 130     restart_key_manager(files);
 131     for (const auto f : files)
 132         test_not_exists(f);
 133 }
 134
 135 RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP)
 136 {
 137     // [test1]
 138     // check items existence as system service
 139     // [test2]
 140     // check items existence as TEST_LABEL
 141     // [test3]
 142     // check items existence as TEST_LABEL_2
 143
 144     // [test1]
 145     {
 146         check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 147         check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 148         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 149         check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 150         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 151     }
 152
 153     // [test2]
 154     {
 155         ScopedDBUnlock unlock(USER_APP, APP_PASS);
 156         ScopedAccessProvider ap(TEST_LABEL, USER_APP, GROUP_APP);
 157
 158         check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 159         check_key_not_visible(XML_1_EXPECTED_KEY_2_RSA.c_str());
 160         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 161         check_cert_not_visible(XML_1_EXPECTED_CERT_1.c_str());
 162         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 163     }
 164
 165     // [test3]
 166     {
 167         ScopedDBUnlock unlock(USER_APP, APP_PASS);
 168         ScopedAccessProvider ap(TEST_LABEL_2, USER_APP, GROUP_APP);
 169
 170         check_key_not_visible(XML_1_EXPECTED_KEY_1_RSA.c_str());
 171         check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 172         check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 173         check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 174         check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 175     }
 176 }
 177
 178 RUNNER_TEST(T6020_PARSE_TWO_XML_FILES_AT_STARTUP)
 179 {
 180     // [test]
 181     // check items existence as system service
 182     check_key(XML_1_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 183     check_key(XML_2_EXPECTED_KEY_1_RSA.c_str(), CKMC_ERROR_NOT_EXPORTABLE);
 184     check_key_allowed(XML_1_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 185     check_key_allowed(XML_2_EXPECTED_KEY_2_RSA.c_str(), CKMC_KEY_RSA_PRIVATE);
 186     check_key_allowed(XML_1_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 187     check_key_allowed(XML_2_EXPECTED_KEY_3_AES.c_str(), CKMC_KEY_AES);
 188     check_cert_allowed(XML_1_EXPECTED_CERT_1.c_str());
 189     check_cert_allowed(XML_2_EXPECTED_CERT_1.c_str());
 190     check_read_allowed(XML_1_EXPECTED_DATA_1.c_str(), XML_1_EXPECTED_DATA_1_DATA);
 191     check_read_allowed(XML_2_EXPECTED_DATA_1.c_str(), XML_2_EXPECTED_DATA_1_DATA);
 192 }
 193
 194 RUNNER_TEST(T6030_PARSE_FAIL_XML_AT_STARTUP)
 195 {
 196     // [test]
 197     // check items existence as system service - nothing should be available
 198     check_key_not_visible(XML_3_EXPECTED_KEY_1_RSA.c_str());
 199     check_key_not_visible(XML_3_EXPECTED_KEY_2_RSA.c_str());
 200     check_cert_not_visible(XML_3_EXPECTED_CERT_1.c_str());
 201     check_read_not_visible(XML_3_EXPECTED_DATA_1.c_str());
 202 }
 203
 204 RUNNER_TEST(T6040_CHECK_KEYS_VALID)
 205 {
 206     // [test]
 207     // check if key can create & verify signature
 208     ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
 209     ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
 210     ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
 211     ckmc_raw_buffer_s *signature = NULL;
 212     int temp;
 213     RUNNER_ASSERT_MSG(
 214             CKMC_ERROR_NONE == (temp = ckmc_create_signature(
 215                     XML_1_EXPECTED_KEY_2_RSA.c_str(),
 216                     NULL,
 217                     msg_buff,
 218                     hash_algo,
 219                     pad_algo,
 220                     &signature)),
 221             CKMCReadableError(temp));
 222
 223     // invalid password
 224     RUNNER_ASSERT_MSG(
 225             CKMC_ERROR_AUTHENTICATION_FAILED == (temp = ckmc_verify_signature(
 226                         XML_1_EXPECTED_KEY_1_RSA.c_str(),
 227                         NULL,
 228                         msg_buff,
 229                         *signature,
 230                         hash_algo,
 231                         pad_algo)),
 232                 CKMCReadableError(temp));
 233
 234     // correct password
 235     RUNNER_ASSERT_MSG(
 236             CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
 237                     XML_1_EXPECTED_KEY_1_RSA.c_str(),
 238                     XML_1_EXPECTED_KEY_1_PASSWD.c_str(),
 239                     msg_buff,
 240                     *signature,
 241                     hash_algo,
 242                     pad_algo)),
 243             CKMCReadableError(temp));
 244
 245     ckmc_buffer_free(signature);
 246 }
 247
 248 RUNNER_TEST(T6999_deinit)
 249 {
 250     remove_user_data(0);
 251 }
 252
 253 RUNNER_TEST_TZ_BACKEND(T7000_Encrypted_initial_values, RemoveDataEnv<0>)
 254 {
 255     int temp;
 256     std::string messageHex = EIV_ENCRYPTED_MESSAGE_HEX;
 257     std::string iv         = EIV_MESSAGE_ENCRYPTION_IV;
 258
 259     restart_key_manager({EIV_TEST_XML_FILENAME});
 260
 261     CKM::CryptoAlgorithm algo;
 262     CKM::RawBuffer messageBin = hexToBin(messageHex);
 263     CKM::RawBuffer ivBin(iv.begin(), iv.end());
 264     CKM::RawBuffer decrypted;
 265
 266     algo.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::AES_CBC);
 267     algo.setParam(CKM::ParamName::ED_IV, ivBin);
 268
 269     auto mgr = CKM::Manager::create();
 270     RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->decrypt(algo, "/System TEI_0", CKM::Password(), messageBin, decrypted)), "Failed to decrypt " << CKM::APICodeToString(temp));
 271     RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == EIV_PLAIN_MESSAGE, "Data does not match");
 272 }
 273
 274 RUNNER_TEST_TZ_BACKEND(T7010_Encrypted_initial_values_asymmetric, RemoveDataEnv<0>)
 275 {
 276     restart_key_manager({EIV_TEST_ASYM_XML_FILENAME});
 277     constexpr char testDataStr[] = "test-data";
 278     const CKM::RawBuffer testData(testDataStr, testDataStr+sizeof(testDataStr)-1);
 279     CKM::RawBuffer encrypted, decrypted, signature;
 280     CKM::CryptoAlgorithm algoRsa;
 281     algoRsa.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::RSA_OAEP);
 282
 283     auto mgr = CKM::Manager::create();
 284     int temp;
 285
 286     #define MGR(OP, ...) do { RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->OP(__VA_ARGS__)), "Failed to " #OP " " << CKM::APICodeToString(temp)); } while (0)
 287
 288     const auto rsaCrypt = [&](auto pub, auto prv) {
 289         MGR(encrypt, algoRsa, pub, CKM::Password(), testData, encrypted);
 290         RUNNER_ASSERT_MSG(testData != encrypted, "Data not encrypted");
 291         MGR(decrypt, algoRsa, prv, CKM::Password(), encrypted, decrypted);
 292         RUNNER_ASSERT_MSG(testData == decrypted, "Data does not match");
 293     };
 294
 295     rsaCrypt("/System TEI_RSA_PUB", "/System TEI_RSA_PRV");
 296     rsaCrypt("/System TEI_RSA_PKCS8_PUB", "/System TEI_RSA_PKCS8_PRV");
 297
 298     const auto sign = [&](auto prv, auto pub, auto hash, auto pad) {
 299         MGR(createSignature, prv, CKM::Password(), testData, hash, pad, signature);
 300         MGR(verifySignature, pub, CKM::Password(), testData, signature, hash, pad);
 301     };
 302
 303     constexpr auto rsaHashAlgo = CKM::HashAlgorithm::SHA512;
 304     constexpr auto rsaPaddingAlgo = CKM::RSAPaddingAlgorithm::X931;
 305     sign("/System TEI_RSA_PRV", "/System TEI_RSA_PUB", rsaHashAlgo, rsaPaddingAlgo);
 306     sign("/System TEI_RSA_PKCS8_PRV", "/System TEI_RSA_PKCS8_PUB", rsaHashAlgo, rsaPaddingAlgo);
 307     sign("/System TEI_DSA_PRV", "/System TEI_DSA_PUB", CKM::HashAlgorithm::SHA1, CKM::RSAPaddingAlgorithm::NONE);
 308
 309     #undef MGR
 310 }
 311
 312 /* TODO
 313  * - RW/RO location support (files removal, flag handling)
 314  * - item overwrite
 315  * - backend attribute support
 316  * - independent tests
 317  * - different formats (also encrypted)
 318  * - complex tests using ckm-initial-values tool
 319  */