############################# compiler flags ##################################
SET(CMAKE_C_FLAGS "-g")
-SET(CMAKE_CXX_FLAGS "-g -std=c++0x")
+SET(CMAKE_CXX_FLAGS "-g -std=c++14")
SET(CMAKE_C_FLAGS_PROFILING "-O0 -pg")
SET(CMAKE_CXX_FLAGS_PROFILING "-O0 -pg")
SET(CMAKE_C_FLAGS_DEBUG "-O0 -ggdb")
BuildRequires: pkgconfig(libgum) >= 1.0.5
BuildRequires: pkgconfig(security-privilege-manager)
BuildRequires: pkgconfig(libsystemd)
+BuildRequires: openssl1.1
Requires: perf
Requires: gdb
Requires: diffutils
ADD_DEFINITIONS("-DCKM_TEST_DIR=\"${CKM_TEST_DIR}\"")
ADD_DEFINITIONS("-DCKM_RW_DATA_DIR=\"${CKM_RW_DATA_DIR}\"")
+OPTION("TZ_BACKEND" OFF)
+IF(TZ_BACKEND)
+ ADD_DEFINITIONS("-DTZ_BACKEND")
+ENDIF(TZ_BACKEND)
OPTION("TZ_BACKEND" OFF)
IF(TZ_BACKEND)
--- /dev/null
+This guideline explains how src/resource/pkcs.p12 is generated.
+
+
+The certificate chain looks as follows (arrow denotes the signing):
+
+SERVER <-- CA_INT <-- CA
+
+That is the CA is a root CA, CA_INT is an intermediate/1st level CA,
+and SERVER is a final/2nd level CA.
+
+
+Files:
+- ca.key, CA's private key used to sign CA_INT certificate
+- ca.crt, CA's certificate used to verify a certificate chain (it's
+ the last certificate in the chain)
+- ca-int.key, CA_INT's private key used to sign SERVER certificate
+- ca-int.csr, CA_INT's certificate signing request (to be signed with
+ ca.key)
+- ca-int.crt, CA_INT's certificate signed by CA
+- server.key, SERVER's private key used to sign client certificates
+- server.csr, SERVER's certificate signing request (to be signed with
+ ca-int.key)
+- server.crt, SERVER's certificate signed by CA_INT
+- chain.pem, chain of CA, CA_INT and SERVER certificates in PEM format
+ (can be used for validation)
+
+
+Keys should be left untouched. In case they are lost they can be
+regenerated with:
+
+ openssl genrsa -out ca.key 1024 (or any other lenght)
+
+
+Certificate signing requests
+
+ Each certificate must have a different Common Name (CN). The command
+ for CSR generation will prompt you for it (and for other fields).
+
+
+Openssl ca setup
+
+ Openssl 1.1.1 requires root and intermediate CA certficates (that is
+ all 3 of above) to have a 'CA' set to 'true' in basicConstraints
+ extension. It applies to trusted certificates as well. The 'openssl
+ ca' tool allows that with proper configuration. Modifications in
+ /etc/ssl/openssl.cnf in [ CA_default ] section:
+ - set 'x509_extensions' to 'v3_ca' to add the v3 CA extension,
+ - set 'policy' to 'policy_anything' to get rid of strict CSR field
+ matching rules.
+
+ Before 'openssl ca' can be used you have to provide a proper
+ directory structure for it. By default it needs a following hierarchy
+ in ./demoCA (paths can be modified in /etc/ssl/openssl.cnf):
+ - demoCA/
+ - private/
+ - cakey.pem - The private key used to sign the certificate. For
+ ca-int.csr it will be ca.key.
+ - cacert.pem - The certificate of the signing CA. For ca-int.csr it
+ will be ca.crt.
+ - index.txt - Empty file (touch index.txt)
+ - serial - A file with serial number (echo 1000 > serial)
+
+
+Certificate generation
+
+- CA:
+
+ Generate a self signed certificate (root ca):
+
+ openssl req -key ca.key -new -x509 -days 3650 -sha256 -out ca.crt
+
+- CA_INT:
+
+ Generate a signing request:
+
+ openssl req -new -key ca.key -out ca-int.csr
+
+ Sign the certificate using CA:
+
+ openssl ca -days 3650 -notext -md sha256 -in ca-int.csr -out \
+ ca-int.crt
+
+- SERVER:
+
+ Generate a signing request:
+
+ openssl req -new -key ca-int.key -out server.csr
+
+ Sign the certificate using CA_INT:
+
+ openssl ca -days 3650 -notext -md sha256 -in server.csr -out \
+ server.crt
+
+
+Export server private key, certificate and the rest of the chain to
+pkcs12:
+
+ cat ca.crt ca-int.crt > chain.pem
+
+ openssl pkcs12 -export -out pkcs.p12 -inkey server.key -in server.crt \
+ -certfile chain.pem
+
+
+Useful commands
+
+- Display certificate info
+
+ openssl x509 -in ca.crt -text -noout
+
+- Display csr info
+
+ openssl req -in ca-int.csr -text -noout
+
+- Display pkcs12 contents in PEM format
+
+ openssl pkcs12 -in pkcs.p12 -info
+
+- Display certificate purpose
+
+ openssl x509 -in ca.crt -purpose
+
+- Sign a client's certificate with server one:
+
+ openssl req -new -key server.key -out client.csr
+ openssl x509 -req -in client.csr -CA server.crt -CAkey server.key \
+ -CAcreateserial -out client.crt -days 3650
+
+- Verify a certficate against a local chain
+
+ openssl verify -CAfile chain.pem client.crt
+
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIICtzCCAiCgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlBM
+MQ8wDQYDVQQIDAZQb2xhbmQxDzANBgNVBAcMBldhcnNhdzEQMA4GA1UECgwHU2Ft
+c3VuZzEMMAoGA1UECwwDS1NGMRMwEQYDVQQDDAptLmthcnBpdWsyMSUwIwYJKoZI
+hvcNAQkBFhZtLmthcnBpdWsyQHNhbXN1bmcuY29tMB4XDTE5MDYxMzExNTQ0OFoX
+DTI5MDYxMDExNTQ0OFowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3Rh
+dGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwR
+Y2EtaW50QHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOEp
+AxNNreF+HPTPznNdeUpcwXfJf5sDjfC9p648jDbiwu8fyEpWQyg1XnhoGc3ZST7o
+u3c3oJq89rw5L8c4vxG6QHXE3NHzZOFpvu+tpyIcfoToBRUiKEmpt60SmixA9VVX
+C9pUGRyUnjDI4Wuv2ZNw04lYgIGE9jdSMA+dSKYfAgMBAAGjUzBRMB0GA1UdDgQW
+BBSvHyNEVaNf2+iZ79oCpVmniojtLzAfBgNVHSMEGDAWgBSIkmgdQrVdA6+R4OHY
+kc1mlXOu7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAEo7oCMW
+gApPBjArw/AyPWw4vxLH6U7/kxJFThVu5b1/6bwEpE8hHK9FRuCZKw1ydegyuuO8
+7JgshhHGBlDECa3INdshCk2xi02SDjWZhxJU8r0eIrji2PxqBI3fEpF2067K2DUS
+vA1tUP253JYcln+xHxbZDUtzaoXM7LmN9tWx
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBoTCCAQoCAQAwYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRY2Et
+aW50QHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOEpAxNN
+reF+HPTPznNdeUpcwXfJf5sDjfC9p648jDbiwu8fyEpWQyg1XnhoGc3ZST7ou3c3
+oJq89rw5L8c4vxG6QHXE3NHzZOFpvu+tpyIcfoToBRUiKEmpt60SmixA9VVXC9pU
+GRyUnjDI4Wuv2ZNw04lYgIGE9jdSMA+dSKYfAgMBAAGgADANBgkqhkiG9w0BAQsF
+AAOBgQC8b7cVVV4z5Bp/XxowzlfhMGL17EE2vgMwpCNNQ+fOpPrrEwmhyg0I4R5+
+iXrnxELVI/cqBUpS84ZHBlNgQAS8F9Wx6AU0yEUBcNqJiMjUreA56VZAfGb+/Sv+
+t6ZQrYtof38aaHfMxhYlCsZzuKGNWvQsLAgxvlBQgHEW9xsqHQ==
+-----END CERTIFICATE REQUEST-----
--- /dev/null
+-----BEGIN RSA PRIVATE KEY-----
+MIICXwIBAAKBgQDhKQMTTa3hfhz0z85zXXlKXMF3yX+bA43wvaeuPIw24sLvH8hK
+VkMoNV54aBnN2Uk+6Lt3N6CavPa8OS/HOL8RukB1xNzR82Thab7vraciHH6E6AUV
+IihJqbetEposQPVVVwvaVBkclJ4wyOFrr9mTcNOJWICBhPY3UjAPnUimHwIDAQAB
+AoGBAMvEP+JCVHBTn4T2Y5IIL/JaS0RK+M6iwtvx50RJy2MIiP27N5n+wzwqQFqb
+a27di+oA2Vck4pXnGSxyXIjhFBgWdLmryJM44DSVlWanb5n2A1GW291MGA8bGR/H
+TCbsuaEm3Z2ggFighQAp2Zuao2lKuMDOgOzpu+0k7lqtfsqxAkEA8ZHC7ocrlRtM
+EzafCi1htuwl9t02Do1q+wn8u5kbKPJ7q4ZNm/sUECfHBE7SbwxNxIEWKuZ5U8V4
+A42VPnO9gwJBAO6cT4IdILqxfxNPd97DY+rT64O/mPIJGC3cmDonf4kc+RuaqbT+
+D9WKp1cwmoeaJDrWbWFWi3cjBrrLd6JxzjUCQQC7s8Heq6Mesd4z065SLx8NDoMV
+RZ+aQSJOO91oOzhSYc/cYHfvanGVeAL5AvIaHVpUBOWfogPGJtrxD9NWeoJXAkEA
+n4CLwZ15AHOgT6dCqP2R8Crjd3l/YuPjbtzUQaOfpGdiuiokIaHnscZy4FzUH6tR
+ZqdqDLROnEAkwn86pLNQtQJBAOAsXPLUpVuJEtPZB1CNLdFkRqkqgFNPnGSIUnTp
++f5H8AHCb1tX/QllL3s6phZ9qds0qrwNxQzgiVATXZyRov4=
+-----END RSA PRIVATE KEY-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAk+gAwIBAgIJAOMDgLjsxef2MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
+VQQGEwJQTDEPMA0GA1UECAwGUG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNV
+BAoMB1NhbXN1bmcxDDAKBgNVBAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjEl
+MCMGCSqGSIb3DQEJARYWbS5rYXJwaXVrMkBzYW1zdW5nLmNvbTAeFw0xNDExMTMx
+MTExNDFaFw0yNDExMTAxMTExNDFaMIGLMQswCQYDVQQGEwJQTDEPMA0GA1UECAwG
+UG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNVBAoMB1NhbXN1bmcxDDAKBgNV
+BAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjElMCMGCSqGSIb3DQEJARYWbS5r
+YXJwaXVrMkBzYW1zdW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+9VvZ3lG1y9a56vUr8s6a44VgSl8mCkIqxt1ds8lJ1GhNuEqtiL+yEq8DDfxulnI6
+xpnmQxFsKy+M14dNNjfAQ9cGiT0aJ8cLVZIRct3phmrUpse3iHpcuR/jwTSJkbwY
+druBloGujhF3FDXX2gVHMZ/j+uePP86Q4cjS80CpORcCAwEAAaNQME4wHQYDVR0O
+BBYEFIiSaB1CtV0Dr5Hg4diRzWaVc67uMB8GA1UdIwQYMBaAFIiSaB1CtV0Dr5Hg
+4diRzWaVc67uMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAXTvQ6fhZ
+SZhfd1DsNx+85ikyvPnSAffOWghJjJA2BMaHdKvoSJTHgBn29BmQSz0kSUM4GOM3
+ikD3aSEaqGJWXVUXxAx8vTe8qFfqr9RE0WsBmPPuWa2fwUaq2ttW5Je4UBs/9jiA
+2UqgKbtqxvacHpGFoM86QxgV+52AA+Bwfzw=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQD1W9neUbXL1rnq9SvyzprjhWBKXyYKQirG3V2zyUnUaE24Sq2I
+v7ISrwMN/G6WcjrGmeZDEWwrL4zXh002N8BD1waJPRonxwtVkhFy3emGatSmx7eI
+ely5H+PBNImRvBh2u4GWga6OEXcUNdfaBUcxn+P6548/zpDhyNLzQKk5FwIDAQAB
+AoGAR+4WkBuqTUj1FlGsAbHaLKt0UDlWwJknS0eoacWwFEpDxqx19WolfV67aYVA
+snBolMKXg7/+0yZMhv8Ofr+XaHkPQplVVn9BwT0rmtEovJXwx+poRP9Bm3emglj/
+iYd8EkaXDlIXCtewtQW9JEIctWppntHj3TvA/h7FCXPN6SkCQQD/N7sn5S1gBkVh
+dyXQKoyKsZDb7hMIS1q6cKwYCMf2UrsD1/lnr7xXkvORdL213MfueO8g0WkuKfRY
+bDD6WGX1AkEA9hxiOlsgvermqLJkOlJffbSaM8n/6wtnM0HV+Vd9NfSBOmxFDXPO
+vrvdgiDPENhbqTJSQVDsfzHilTpK7lEvWwJBAJLxHoOg0tg3pBiyxgWtic+M3q+R
+ykl7QViY6KzJ2X98MIrM/Z7yMollZXE4+sVLwZ0O6fdGOr3GkBWc7TImVUUCQQC7
+pf6bQfof9Ce0fnf/I+ldHkPost7nJsWkBlGQkM2OQwP5OK4ZyK/dK76DxmI7FMwm
+oJCo7nuzq6R4ZX7WYJ47AkBavxBDo/e9/0Vk5yrloGKW3f8RQXBJLcCkVUGyyJ3D
+3gu/nafW4hzjSJniTjC1fOj0eb0OSg1JAvqHTYAnUsI7
+-----END RSA PRIVATE KEY-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAk+gAwIBAgIJAOMDgLjsxef2MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
+VQQGEwJQTDEPMA0GA1UECAwGUG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNV
+BAoMB1NhbXN1bmcxDDAKBgNVBAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjEl
+MCMGCSqGSIb3DQEJARYWbS5rYXJwaXVrMkBzYW1zdW5nLmNvbTAeFw0xNDExMTMx
+MTExNDFaFw0yNDExMTAxMTExNDFaMIGLMQswCQYDVQQGEwJQTDEPMA0GA1UECAwG
+UG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNVBAoMB1NhbXN1bmcxDDAKBgNV
+BAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjElMCMGCSqGSIb3DQEJARYWbS5r
+YXJwaXVrMkBzYW1zdW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+9VvZ3lG1y9a56vUr8s6a44VgSl8mCkIqxt1ds8lJ1GhNuEqtiL+yEq8DDfxulnI6
+xpnmQxFsKy+M14dNNjfAQ9cGiT0aJ8cLVZIRct3phmrUpse3iHpcuR/jwTSJkbwY
+druBloGujhF3FDXX2gVHMZ/j+uePP86Q4cjS80CpORcCAwEAAaNQME4wHQYDVR0O
+BBYEFIiSaB1CtV0Dr5Hg4diRzWaVc67uMB8GA1UdIwQYMBaAFIiSaB1CtV0Dr5Hg
+4diRzWaVc67uMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAXTvQ6fhZ
+SZhfd1DsNx+85ikyvPnSAffOWghJjJA2BMaHdKvoSJTHgBn29BmQSz0kSUM4GOM3
+ikD3aSEaqGJWXVUXxAx8vTe8qFfqr9RE0WsBmPPuWa2fwUaq2ttW5Je4UBs/9jiA
+2UqgKbtqxvacHpGFoM86QxgV+52AA+Bwfzw=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICtzCCAiCgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlBM
+MQ8wDQYDVQQIDAZQb2xhbmQxDzANBgNVBAcMBldhcnNhdzEQMA4GA1UECgwHU2Ft
+c3VuZzEMMAoGA1UECwwDS1NGMRMwEQYDVQQDDAptLmthcnBpdWsyMSUwIwYJKoZI
+hvcNAQkBFhZtLmthcnBpdWsyQHNhbXN1bmcuY29tMB4XDTE5MDYxMzExNTQ0OFoX
+DTI5MDYxMDExNTQ0OFowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3Rh
+dGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwR
+Y2EtaW50QHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOEp
+AxNNreF+HPTPznNdeUpcwXfJf5sDjfC9p648jDbiwu8fyEpWQyg1XnhoGc3ZST7o
+u3c3oJq89rw5L8c4vxG6QHXE3NHzZOFpvu+tpyIcfoToBRUiKEmpt60SmixA9VVX
+C9pUGRyUnjDI4Wuv2ZNw04lYgIGE9jdSMA+dSKYfAgMBAAGjUzBRMB0GA1UdDgQW
+BBSvHyNEVaNf2+iZ79oCpVmniojtLzAfBgNVHSMEGDAWgBSIkmgdQrVdA6+R4OHY
+kc1mlXOu7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAEo7oCMW
+gApPBjArw/AyPWw4vxLH6U7/kxJFThVu5b1/6bwEpE8hHK9FRuCZKw1ydegyuuO8
+7JgshhHGBlDECa3INdshCk2xi02SDjWZhxJU8r0eIrji2PxqBI3fEpF2067K2DUS
+vA1tUP253JYcln+xHxbZDUtzaoXM7LmN9tWx
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICjDCCAfWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYTELMAkGA1UEBhMCQVUx
+EzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEaMBgGA1UEAwwRY2EtaW50QHRlc3RtZS5jb20wHhcNMTkwNjEzMTIw
+NzU5WhcNMjkwNjEwMTIwNzU5WjBhMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t
+ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRowGAYD
+VQQDDBFzZXJ2ZXJAdGVzdG1lLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAw4Jj7q00Gt8G55TPvZwhEL4Q74mEb0gvUy+ZQDAQpgUpfd79FAV1rKjvn5gC
+DZuUCWvPYReTe0OMbb30iVDyHss6MEzhBjOFNxZybZbDULKDWxZTckC6GWZpmOJY
+xuv2Kl/iRgYEvfyfLr2g1pL7PpLZDkcoHzc+BouQxEU+3nkCAwEAAaNTMFEwHQYD
+VR0OBBYEFE8OYEtgOx9klZOaDcNJF6nkfeE6MB8GA1UdIwQYMBaAFK8fI0RVo1/b
+6Jnv2gKlWaeKiO0vMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEA
+pkpwMYqyEFl1fPGHbub4ieDxm9U+KSkMOoB3pB5atqvP4LJj7sGQL6qnRYiL5er3
+cyBaIQdKt/NqWR4LKrLGPsfIbtDesRAP8HfG5ZfxiRr4Z4PhdMzO4XVSihuoGUoh
+DfQkQRjWw60PKpc9uQypCcHY5yWu/b+lPL5ydXKyU5o=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIICjDCCAfWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYTELMAkGA1UEBhMCQVUx
+EzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEaMBgGA1UEAwwRY2EtaW50QHRlc3RtZS5jb20wHhcNMTkwNjEzMTIw
+NzU5WhcNMjkwNjEwMTIwNzU5WjBhMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t
+ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRowGAYD
+VQQDDBFzZXJ2ZXJAdGVzdG1lLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAw4Jj7q00Gt8G55TPvZwhEL4Q74mEb0gvUy+ZQDAQpgUpfd79FAV1rKjvn5gC
+DZuUCWvPYReTe0OMbb30iVDyHss6MEzhBjOFNxZybZbDULKDWxZTckC6GWZpmOJY
+xuv2Kl/iRgYEvfyfLr2g1pL7PpLZDkcoHzc+BouQxEU+3nkCAwEAAaNTMFEwHQYD
+VR0OBBYEFE8OYEtgOx9klZOaDcNJF6nkfeE6MB8GA1UdIwQYMBaAFK8fI0RVo1/b
+6Jnv2gKlWaeKiO0vMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEA
+pkpwMYqyEFl1fPGHbub4ieDxm9U+KSkMOoB3pB5atqvP4LJj7sGQL6qnRYiL5er3
+cyBaIQdKt/NqWR4LKrLGPsfIbtDesRAP8HfG5ZfxiRr4Z4PhdMzO4XVSihuoGUoh
+DfQkQRjWw60PKpc9uQypCcHY5yWu/b+lPL5ydXKyU5o=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBoTCCAQoCAQAwYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vy
+dmVyQHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOCY+6t
+NBrfBueUz72cIRC+EO+JhG9IL1MvmUAwEKYFKX3e/RQFdayo75+YAg2blAlrz2EX
+k3tDjG299IlQ8h7LOjBM4QYzhTcWcm2Ww1Cyg1sWU3JAuhlmaZjiWMbr9ipf4kYG
+BL38ny69oNaS+z6S2Q5HKB83PgaLkMRFPt55AgMBAAGgADANBgkqhkiG9w0BAQsF
+AAOBgQCY3jWaE33hy1JVni9bLCUYwOz6VJVV8d1WWpSf7CpIgrXUQFPOIfO71jlf
+Vn99iYCUIodq+9M9dyeNoU1mkAp2LpG3Y3DjePpIyM3zLLEM/CmQ9ZbuS/zKl5fO
+KoItsRl0uFJEEEHw7lWxdRuIvzix5SFxTApiMPktjtCs/9eAew==
+-----END CERTIFICATE REQUEST-----
--- /dev/null
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQDDgmPurTQa3wbnlM+9nCEQvhDviYRvSC9TL5lAMBCmBSl93v0U
+BXWsqO+fmAINm5QJa89hF5N7Q4xtvfSJUPIeyzowTOEGM4U3FnJtlsNQsoNbFlNy
+QLoZZmmY4ljG6/YqX+JGBgS9/J8uvaDWkvs+ktkORygfNz4Gi5DERT7eeQIDAQAB
+AoGAARIqx/js6yTDnesjxC8hwzy3TQic0Bs+Hx+IoGBjBvXKR2U8T6rD/UEjpuUn
+RbnPcsnDZg3CAg/ZqhQ7TbFC0kPo+S6+wKsZGDWUUvnpMkdcZUqXel8GFhdnmeIh
+22vYthP4TCbolxwXlwvuhu0PLZWhRO/Z+g37T3QENexqGv0CQQDmqJ9PDoUj5eUR
+wWEqEPraoU6ARBUUX5EhmTT9g9/BXnhwumIOksDHcBqNUwNOlKCUlWfBOelO93Ys
+PRW3QyejAkEA2P0tW/8iU4j+0a6DV+TUYFDTjD29y8KPw0Aj59591xD5eIPK3IgU
+91vnmtvU/QR26PnMOx4OAPk9a7BtN62zMwJAIFV0950edtjMUr/cAgydTbadDYf9
+uHxpGN+kOQGahT3b/llyU36o/YwufK8tYH+fPxTulXyrwwEXlL3/ZFBKpwJAeLGS
+Wlp2WGqZ+j2MdwYkDxLGKHprKHwnBN6XWjCKZGbfrGX6H2Jd7xyinaNrO/UQwxO2
+wqc7+NSpkk3G4jJuuwJAODYlk2Q+djE4jkjDc4xiqsQGBQlI2dlgzjRjIF4HWiLx
+bIrI0uCCbGItx++hlvmDx7G8anBmIFfBWIaKdX0aWw==
+-----END RSA PRIVATE KEY-----
SET(EIV_PLAIN_MESSAGE "ShortTestMessage")
SET(EIV_MESSAGE_ENCRYPTION_IV "abcdefghijklmnop")
+SET(EIV_TEST_ASYM_XML_FILENAME "encrypted_initial_values_asym.xml")
+SET(EIV_TEST_ASYM_XML ${CMAKE_CURRENT_SOURCE_DIR}/${EIV_TEST_ASYM_XML_FILENAME})
+
# encrypt ShortTestMessage using the imported key and 'abcdefghijklmnop' IV
EXECUTE_PROCESS(
COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/aes_128_cbc_encrypt.sh ${EIV_KEY_TO_BE_IMPORTED} ${EIV_MESSAGE_ENCRYPTION_IV}
MESSAGE(FATAL_ERROR "Encryption failed: ${EIV_ENCRYPTION_STDERR}")
ENDIF(NOT ${EIV_ENCRYPTION_RESULT} STREQUAL "0")
+SET(EIV_FILES ${EIV_TEST_XML} ${EIV_TEST_ASYM_XML})
+
# prepare initial values xml target
-ADD_CUSTOM_COMMAND(OUTPUT ${EIV_TEST_XML}
- COMMAND echo -n ${EIV_KEY_TO_BE_IMPORTED} > /tmp/key
+ADD_CUSTOM_COMMAND(OUTPUT ${EIV_FILES}
COMMAND echo -n THIS/STRING/MUST/BE/REPLACED/IN/REAL/DEVICE= | base64 --decode > /tmp/encryption_key
- COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/key -k /tmp/encryption_key -n TEI_0 -t Key -s AES -b hardware -x ${EIV_TEST_XML}
+
+ COMMAND echo -n ${EIV_KEY_TO_BE_IMPORTED} > /tmp/key
+ COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/key -k /tmp/encryption_key -n TEI_0 -t Key -s AES -b hardware > ${EIV_TEST_XML}
+
+ COMMAND openssl genpkey -algorithm RSA -outform DER > /tmp/prvkey
+ COMMAND openssl rsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey
+ COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_RSA_PRV -t Key -s RSA_PRV > ${EIV_TEST_ASYM_XML}
+ COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_RSA_PUB -t Key -s RSA_PUB -x ${EIV_TEST_ASYM_XML}
+
+ COMMAND openssl genpkey -algorithm RSA -outform PEM > /tmp/prvkey.pem
+ COMMAND openssl pkcs8 -topk8 -inform PEM -in /tmp/prvkey.pem -outform DER -nocrypt -out /tmp/prvkey
+ COMMAND openssl rsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey
+ COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_RSA_PKCS8_PRV -t Key -s RSA_PRV -x ${EIV_TEST_ASYM_XML}
+ COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_RSA_PKCS8_PUB -t Key -s RSA_PUB -x ${EIV_TEST_ASYM_XML}
+
+ COMMAND openssl genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt dsa_paramgen_q_bits:160 > /tmp/params.pem
+ COMMAND openssl genpkey -paramfile /tmp/params.pem -outform DER > /tmp/prvkey
+ COMMAND openssl dsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey
+ COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_DSA_PRV -t Key -s DSA_PRV -x ${EIV_TEST_ASYM_XML}
+ COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_DSA_PUB -t Key -s DSA_PUB -x ${EIV_TEST_ASYM_XML}
+
COMMENT "Generating encrypted initial values test xml"
VERBATIM
)
-ADD_CUSTOM_TARGET(TARGET_EIV_TEST_XML DEPENDS ${EIV_TEST_XML})
+ADD_CUSTOM_TARGET(TARGET_EIV_TEST_XML DEPENDS ${EIV_FILES})
-INSTALL(FILES ${EIV_TEST_XML} DESTINATION ${CKM_TEST_DIR})
+INSTALL(FILES ${EIV_FILES} DESTINATION ${CKM_TEST_DIR})
# ckm-tests
PKG_CHECK_MODULES(CKM_DEP
PRIVATE EIV_ENCRYPTED_MESSAGE_HEX="${EIV_ENCRYPTED_MESSAGE_HEX}"
PRIVATE EIV_MESSAGE_ENCRYPTION_IV="${EIV_MESSAGE_ENCRYPTION_IV}"
PRIVATE EIV_TEST_XML_FILENAME="${EIV_TEST_XML_FILENAME}"
+ PRIVATE EIV_TEST_ASYM_XML_FILENAME="${EIV_TEST_ASYM_XML_FILENAME}"
)
INSTALL(TARGETS ${TARGET_CKM_PRIVILEGED_TESTS} DESTINATION bin)
-#!/bin/bash -e
+#!/bin/bash
+set -euo pipefail
if [ "$#" -ne 2 ]
then
const char* TEST_ALIAS3 = "test-alias3";
const char* TEST_DATA = "dsflsdkghkslhglrtghierhgilrehgidsafasdffsgfdgdgfdgfdgfdgfdggf";
+const char* RSA_PUB_KEY_PEM =
+ "-----BEGIN PUBLIC KEY-----\n"
+ "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2b1bXDa+S8/MGWnMkru4\n"
+ "T4tUddtZNi0NVjQn9RFH1NMa220GsRhRO56F77FlSVFKfSfVZKIiWg6C+DVCkcLf\n"
+ "zXJ/Z0pvwOQYBAqVMFjV6efQGN0JzJ1Unu7pPRiZl7RKGEI+cyzzrcDyrLLrQ2W7\n"
+ "0ZySkNEOv6Frx9JgC5NExuYY4lk2fQQa38JXiZkfyzif2em0px7mXbyf5LjccsKq\n"
+ "v1e+XLtMsL0ZefRcqsP++NzQAI8fKX7WBT+qK0HJDLiHrKOTWYzx6CwJ66LD/vvf\n"
+ "j55xtsKDLVDbsotvf8/m6VLMab+vqKk11TP4tq6yo0mwyTADvgl1zowQEO9I1W6o\n"
+ "zQIDAQAB\n"
+ "-----END PUBLIC KEY-----";
void allow_access_deprecated(const char* alias, const char* accessor, ckmc_access_right_e accessRights)
{
check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
}
}
+
+RUNNER_TEST(utc_ckmc_get_key_alias_info_list_p)
+{
+ ckmc_alias_info_list_s* ppalias_list = NULL;
+
+ int ret = ckmc_get_key_alias_info_list(&ppalias_list);
+ ckmc_alias_info_list_all_free(ppalias_list);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " << CKMCErrorToString(ret));
+}
+
+RUNNER_TEST(utc_ckmc_get_key_alias_info_list_n)
+{
+ int ret = ckmc_get_key_alias_info_list(NULL);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret));
+}
+
+RUNNER_TEST(utc_ckmc_get_cert_alias_info_list_p)
+{
+ ckmc_alias_info_list_s* ppalias_list = NULL;
+
+ int ret = ckmc_get_cert_alias_info_list(&ppalias_list);
+ ckmc_alias_info_list_all_free(ppalias_list);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " << CKMCErrorToString(ret));
+}
+
+RUNNER_TEST(utc_ckmc_get_cert_alias_info_list_n)
+{
+ int ret = ckmc_get_cert_alias_info_list(NULL);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret));
+}
+
+
+RUNNER_TEST(utc_ckmc_get_data_alias_info_list_p1)
+{
+ ckmc_alias_info_list_s* ppalias_list = NULL;
+
+ int ret = ckmc_get_data_alias_info_list(&ppalias_list);
+ ckmc_alias_info_list_all_free(ppalias_list);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " << CKMCErrorToString(ret));
+}
+
+
+RUNNER_TEST(utc_ckmc_get_data_alias_info_list_p2, RemoveDataEnv<APP_1>)
+{
+ ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+ save_data(TEST_ALIAS, TEST_DATA);
+
+ ckmc_alias_info_list_s* ppalias_list = NULL;
+
+ int ret = ckmc_get_data_alias_info_list(&ppalias_list);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, returned: " << CKMCErrorToString(ret));
+
+ char* alias = NULL;
+ ret = ckmc_alias_info_get_alias(ppalias_list->info, &alias);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get alias, returned: " << CKMCErrorToString(ret));
+ RUNNER_ASSERT_MSG(ppalias_list->next == NULL, "More elements returned");
+ std::string aliasOrig = std::string(APP_LABEL_1) + " " + std::string(TEST_ALIAS);
+ RUNNER_ASSERT_MSG(strcmp(alias, aliasOrig.c_str()) == 0, "Invalid aliast returned : " << alias);
+
+ ckmc_alias_info_list_all_free(ppalias_list);
+
+}
+
+
+RUNNER_TEST(utc_ckmc_get_data_alias_info_list_n)
+{
+ int ret = ckmc_get_data_alias_info_list(NULL);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret));
+}
+
+RUNNER_TEST(utc_ckmc_alias_info_get_alias_p)
+{
+ ckmc_alias_info_list_s *ppalias_list, *tmp;
+ ckmc_key_s test_key;
+ ckmc_policy_s test_policy;
+ int ret;
+ char* current_alias;
+ const char* alias = "utc_ckmc_alias_info_get_alias_p_test_alias";
+ bool foundAlias = false;
+
+ test_key.raw_key = (unsigned char *)RSA_PUB_KEY_PEM;
+ test_key.key_size = strlen(RSA_PUB_KEY_PEM);
+ test_key.key_type = CKMC_KEY_RSA_PUBLIC;
+ test_key.password = NULL;
+
+ test_policy.password = NULL;
+ test_policy.extractable = true;
+
+ ret = ckmc_save_key(alias, test_key, test_policy);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+
+ ret = ckmc_get_key_alias_info_list(&ppalias_list);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+
+ tmp = ppalias_list;
+
+ while (tmp) {
+ ret = ckmc_alias_info_get_alias(tmp->info, ¤t_alias);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+ if (strstr(current_alias, alias)) {
+ foundAlias = true;
+ break;
+ }
+ tmp = tmp->next;
+ }
+ ckmc_alias_info_list_all_free(ppalias_list);
+ ckmc_remove_key(alias);
+ RUNNER_ASSERT_MSG(foundAlias == true, "Expected to find alias, but alias not found");
+}
+
+RUNNER_TEST(utc_ckmc_alias_info_is_password_protected_p)
+{
+ ckmc_alias_info_list_s *ppalias_list, *tmp;
+ ckmc_key_s test_key;
+ ckmc_policy_s test_policy;
+ int ret;
+ char* current_alias;
+ const char* alias = "utc_ckmc_alias_info_get_alias_p_test_alias";
+ bool foundAlias = false;
+
+ test_key.raw_key = (unsigned char *)RSA_PUB_KEY_PEM;
+ test_key.key_size = strlen(RSA_PUB_KEY_PEM);
+ test_key.key_type = CKMC_KEY_RSA_PUBLIC;
+ test_key.password = NULL;
+
+ test_policy.password = NULL;
+ test_policy.extractable = true;
+
+ ret = ckmc_save_key(alias, test_key, test_policy);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+
+ ret = ckmc_get_key_alias_info_list(&ppalias_list);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+
+ tmp = ppalias_list;
+
+ while (tmp) {
+ ret = ckmc_alias_info_get_alias(tmp->info, ¤t_alias);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+ if (strstr(current_alias, alias)) {
+ foundAlias = true;
+ bool is_password_protected;
+ ret = ckmc_alias_info_is_password_protected(tmp->info, &is_password_protected);
+ RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+ RUNNER_ASSERT(is_password_protected == false);
+ break;
+ }
+ tmp = tmp->next;
+ }
+ ckmc_alias_info_list_all_free(ppalias_list);
+ ckmc_remove_key(alias);
+ RUNNER_ASSERT(foundAlias == true);
+}
std::string XML_3_EXPECTED_CERT_1 = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
std::string XML_3_EXPECTED_DATA_1 = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
-std::string format_src_path(const char *file)
+auto format_dest_path(const char *file)
{
- return std::string(CKM_TEST_DIR) + std::string(file);
+ return std::string(CKM_RW_DATA_DIR "/initial_values/") + file;
}
-std::string format_dest_path(const char *file)
-{
- return std::string(CKM_RW_DATA_DIR) + std::string( "/initial_values/") + std::string(file);
+void test_not_exists(const char *file) {
+ const auto name = format_dest_path(file);
+ const bool file_exists = access(name.c_str(), F_OK) != -1;
+ RUNNER_ASSERT_MSG(!file_exists, "File " << name << " exists");
}
-void copy_file(const std::string &from, const std::string &to)
+void copy_file(const char *file)
{
- std::ifstream infile(from, std::ios_base::binary);
- RUNNER_ASSERT_MSG(infile, "Input file " << from << " does not exist.");
- std::ofstream outfile(to, std::ios_base::binary);
- RUNNER_ASSERT_MSG(outfile, "Output file " << to << " does not exist. Reinstall key-manager.");
+ const auto src = std::string(CKM_TEST_DIR) + file;
+ const auto dest = format_dest_path(file);
+ std::ifstream infile(src, std::ios_base::binary);
+ RUNNER_ASSERT_MSG(infile, "Input file " << src << " does not exist.");
+ std::ofstream outfile(dest, std::ios_base::binary);
+ RUNNER_ASSERT_MSG(outfile, "Output file " << dest << " does not exist. Reinstall key-manager.");
outfile << infile.rdbuf();
}
-void restart_key_manager()
+void restart_key_manager(const std::initializer_list<const char * const> files_to_copy = {})
{
stop_service(MANAGER);
+ for (const auto f : files_to_copy)
+ copy_file(f);
start_service(MANAGER);
}
-void test_exists(const std::string& name, bool expected) {
- bool file_exists = (access( name.c_str(), F_OK ) != -1);
- RUNNER_ASSERT_MSG(file_exists == expected,
- "File " << name << " status: " << file_exists <<
- " while expected: " << expected);
-}
-
-}
-
int hexToBin(char h) {
if (h >= '0' && h <= '9')
return h - '0';
return output;
}
+} // namespace
+
RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
RUNNER_TEST(T6001_init)
// restart the key-manager
// check XML file doesn't exist
- copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
- copy_file(format_src_path(XML_2_okay), format_dest_path(XML_2_okay));
- copy_file(format_src_path(XML_3_wrong), format_dest_path(XML_3_wrong));
-
- test_exists(format_dest_path(XML_1_okay), true);
- test_exists(format_dest_path(XML_2_okay), true);
- test_exists(format_dest_path(XML_3_wrong), true);
-
- restart_key_manager();
-
- test_exists(format_dest_path(XML_1_okay), false);
- test_exists(format_dest_path(XML_2_okay), false);
- test_exists(format_dest_path(XML_3_wrong), false);
+ const auto files = {XML_1_okay, XML_2_okay, XML_3_wrong};
+ restart_key_manager(files);
+ for (const auto f : files)
+ test_not_exists(f);
}
RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP)
std::string messageHex = EIV_ENCRYPTED_MESSAGE_HEX;
std::string iv = EIV_MESSAGE_ENCRYPTION_IV;
- copy_file(format_src_path(EIV_TEST_XML_FILENAME), format_dest_path(EIV_TEST_XML_FILENAME));
- restart_key_manager();
+ restart_key_manager({EIV_TEST_XML_FILENAME});
CKM::CryptoAlgorithm algo;
CKM::RawBuffer messageBin = hexToBin(messageHex);
RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == EIV_PLAIN_MESSAGE, "Data does not match");
}
+RUNNER_TEST_TZ_BACKEND(T7010_Encrypted_initial_values_asymmetric, RemoveDataEnv<0>)
+{
+ restart_key_manager({EIV_TEST_ASYM_XML_FILENAME});
+ constexpr char testDataStr[] = "test-data";
+ const CKM::RawBuffer testData(testDataStr, testDataStr+sizeof(testDataStr)-1);
+ CKM::RawBuffer encrypted, decrypted, signature;
+ CKM::CryptoAlgorithm algoRsa;
+ algoRsa.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::RSA_OAEP);
+
+ auto mgr = CKM::Manager::create();
+ int temp;
+
+ #define MGR(OP, ...) do { RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->OP(__VA_ARGS__)), "Failed to " #OP " " << CKM::APICodeToString(temp)); } while (0)
+
+ const auto rsaCrypt = [&](auto pub, auto prv) {
+ MGR(encrypt, algoRsa, pub, CKM::Password(), testData, encrypted);
+ RUNNER_ASSERT_MSG(testData != encrypted, "Data not encrypted");
+ MGR(decrypt, algoRsa, prv, CKM::Password(), encrypted, decrypted);
+ RUNNER_ASSERT_MSG(testData == decrypted, "Data does not match");
+ };
+
+ rsaCrypt("/System TEI_RSA_PUB", "/System TEI_RSA_PRV");
+ rsaCrypt("/System TEI_RSA_PKCS8_PUB", "/System TEI_RSA_PKCS8_PRV");
+
+ const auto sign = [&](auto prv, auto pub, auto hash, auto pad) {
+ MGR(createSignature, prv, CKM::Password(), testData, hash, pad, signature);
+ MGR(verifySignature, pub, CKM::Password(), testData, signature, hash, pad);
+ };
+
+ constexpr auto rsaHashAlgo = CKM::HashAlgorithm::SHA512;
+ constexpr auto rsaPaddingAlgo = CKM::RSAPaddingAlgorithm::X931;
+ sign("/System TEI_RSA_PRV", "/System TEI_RSA_PUB", rsaHashAlgo, rsaPaddingAlgo);
+ sign("/System TEI_RSA_PKCS8_PRV", "/System TEI_RSA_PKCS8_PUB", rsaHashAlgo, rsaPaddingAlgo);
+ sign("/System TEI_DSA_PRV", "/System TEI_DSA_PUB", CKM::HashAlgorithm::SHA1, CKM::RSAPaddingAlgorithm::NONE);
+
+ #undef MGR
+}
+
/* TODO
* - RW/RO location support (files removal, flag handling)
* - item overwrite
TEST_LEAF, // TEST_LEAF, signed by TEST_IM_CA, expires 2035
// third party
- DIGICERT_ROOT_CA, // DIGICERT_ROOT_CA, (root CA), expires 10 Nov 2031
- DIGICERT_IM_CA, // DIGICERT_IM_CA, signed by DIGICERT_ROOT_CA,
- // expires 22 Oct 2028
- FACEBOOK_COM, // FACEBOOK_COM, *.facebook.com - signed by DIGICERT_IM_CA,
- // expires 22 Mar 2019
+ BALTIMORE_CYBER_TRUST_ROOT, // Baltimore CyberTrust Root, (root CA), expires May 13, 2025
+ MS_IT_TLS_CA_4, // Microsoft IT TLS CA 4, signed by Baltimore CyberTrust Root,
+ // expires May 20, 2024
+ MICROSOFT_COM, // www.microsoft.com - signed by Microsoft IT TLS CA 4,
+ // expires January 16, 2020
// ocsp available chain on third party
- MICROSOFT_IM_CA, // MICROSOFT_IM_CA, signed by Baltimore CyberTrust Root, expires 20 May 2024
- BING_COM, // BING, signed by MICROSOFT_IM_CA, expires 10 Jul 2019
+ MS_IT_TLS_CA_2, // Microsoft IT TLS CA 2, signed by Baltimore CyberTrust Root, expires 20 May 2024
+ BING_COM, // BING, signed by Microsoft IT TLS CA 2, expires 30 Apr 2021
// footer - last element in the set
NO_CERT
case certificateID::TEST_IM_CA: return RawCertificateID::TEST_IM_CA;
case certificateID::TEST_LEAF: return RawCertificateID::TEST_LEAF;
- case certificateID::THIRD_PARTY_ROOT_CA: return RawCertificateID::DIGICERT_ROOT_CA;
- case certificateID::THIRD_PARTY_IM_CA: return RawCertificateID::DIGICERT_IM_CA;
- case certificateID::THIRD_PARTY_LEAF: return RawCertificateID::FACEBOOK_COM;
+ case certificateID::THIRD_PARTY_ROOT_CA: return RawCertificateID::BALTIMORE_CYBER_TRUST_ROOT;
+ case certificateID::THIRD_PARTY_IM_CA: return RawCertificateID::MS_IT_TLS_CA_4;
+ case certificateID::THIRD_PARTY_LEAF: return RawCertificateID::MICROSOFT_COM;
- case certificateID::OCSP_AVAILABLE_IM: return RawCertificateID::MICROSOFT_IM_CA;
+ case certificateID::OCSP_AVAILABLE_IM: return RawCertificateID::MS_IT_TLS_CA_2;
case certificateID::OCSP_AVAILABLE_LEAF: return RawCertificateID::BING_COM;
case certificateID::NO_CERT: return RawCertificateID::NO_CERT;
cm[RawCertificateID::TEST_LEAF].certPtr = createCert(raw_base64);
}
- // BING.COM, signed by MICROSOFT_IM_CA, expires 10 Jul 2019
+ // BING, signed by Microsoft IT TLS CA 2, expires 30 Apr 2021
{
std::string raw_base64(
"-----BEGIN CERTIFICATE-----\n"
- "MIIMAjCCCeqgAwIBAgITLQAAMpnXBx230XCKQgAAAAAymTANBgkqhkiG9w0BAQsF\n"
+ "MIIN+jCCC+KgAwIBAgITIAAGDxuOsc5CY0aDQgAAAAYPGzANBgkqhkiG9w0BAQsF\n"
"ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT\n"
"B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE\n"
- "CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDUw\n"
- "HhcNMTcwNzIwMTc0NzA4WhcNMTkwNzEwMTc0NzA4WjAXMRUwEwYDVQQDEwx3d3cu\n"
- "YmluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6jsg+/7Dl\n"
- "IrdgFOcaDlK3RQ9sIgkJsgpj+ZxAbIe3ziyimIxjVlHX87pqgXcNhaYNbCFD0iPm\n"
- "+aUfbv4GDTLR+AIr8eSegqxZ+CBToYM67NhpVYra1KAvY4XgqxorO4FB9IWYJRqh\n"
- "I3SZeZ3lLK5t9XuUMicG8l52nJfpPdXXvBca2wUCq8FHEObG81vJzESA0htLLPTj\n"
- "dUWBQnXPiW5bqzlGHzzv8ISV6jtDLNNa5JRlhSlXho+6pCedhNF7MP4yTaantPvA\n"
- "ELLRWX13VhjgoCcRCCu0s8rxW5DuVWl2Pb2iw35MFnNWlcoVwq0AjAfGA+xEba/W\n"
- "Lid6qfkQctYjAgMBAAGjggfQMIIHzDAdBgNVHQ4EFgQUCYflhSl4MCAls91+3Gzt\n"
- "pSmoA3AwCwYDVR0PBAQDAgSwMB8GA1UdIwQYMBaAFAj+JZ906ocEwry7jqg4XzPG\n"
- "0WxlMIGsBgNVHR8EgaQwgaEwgZ6ggZuggZiGS2h0dHA6Ly9tc2NybC5taWNyb3Nv\n"
- "ZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0El\n"
- "MjA1LmNybIZJaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3Js\n"
- "L01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0ElMjA1LmNybDCBhQYIKwYBBQUHAQEE\n"
- "eTB3MFEGCCsGAQUFBzAChkVodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21z\n"
- "Y29ycC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIwNS5jcnQwIgYIKwYBBQUH\n"
- "MAGGFmh0dHA6Ly9vY3NwLm1zb2NzcC5jb20wPgYJKwYBBAGCNxUHBDEwLwYnKwYB\n"
- "BAGCNxUIh9qGdYPu2QGCyYUbgbWeYYX062CBXYTS30KC55N6AgFkAgEQMB0GA1Ud\n"
- "JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATBNBgNVHSAERjBEMEIGCSsGAQQBgjcq\n"
- "ATA1MDMGCCsGAQUFBwIBFidodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21z\n"
- "Y29ycC9jcHMwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcD\n"
- "ATCCBW0GA1UdEQSCBWQwggVgggx3d3cuYmluZy5jb22CEGRpY3QuYmluZy5jb20u\n"
- "Y26CEyoucGxhdGZvcm0uYmluZy5jb22CCiouYmluZy5jb22CCGJpbmcuY29tghZp\n"
- "ZW9ubGluZS5taWNyb3NvZnQuY29tghMqLndpbmRvd3NzZWFyY2guY29tghljbi5p\n"
- "ZW9ubGluZS5taWNyb3NvZnQuY29tghEqLm9yaWdpbi5iaW5nLmNvbYINKi5tbS5i\n"
- "aW5nLm5ldIIOKi5hcGkuYmluZy5jb22CGGVjbi5kZXYudmlydHVhbGVhcnRoLm5l\n"
- "dIINKi5jbi5iaW5nLm5ldIINKi5jbi5iaW5nLmNvbYIQc3NsLWFwaS5iaW5nLmNv\n"
- "bYIQc3NsLWFwaS5iaW5nLm5ldIIOKi5hcGkuYmluZy5uZXSCDiouYmluZ2FwaXMu\n"
- "Y29tgg9iaW5nc2FuZGJveC5jb22CFmZlZWRiYWNrLm1pY3Jvc29mdC5jb22CG2lu\n"
- "c2VydG1lZGlhLmJpbmcub2ZmaWNlLm5ldIIOci5iYXQuYmluZy5jb22CECouci5i\n"
- "YXQuYmluZy5jb22CEiouZGljdC5iaW5nLmNvbS5jboIPKi5kaWN0LmJpbmcuY29t\n"
- "gg4qLnNzbC5iaW5nLmNvbYIQKi5hcHBleC5iaW5nLmNvbYIWKi5wbGF0Zm9ybS5j\n"
- "bi5iaW5nLmNvbYINd3AubS5iaW5nLmNvbYIMKi5tLmJpbmcuY29tgg9nbG9iYWwu\n"
- "YmluZy5jb22CEXdpbmRvd3NzZWFyY2guY29tgg5zZWFyY2gubXNuLmNvbYIRKi5i\n"
- "aW5nc2FuZGJveC5jb22CGSouYXBpLnRpbGVzLmRpdHUubGl2ZS5jb22CDyouZGl0\n"
- "dS5saXZlLmNvbYIYKi50MC50aWxlcy5kaXR1LmxpdmUuY29tghgqLnQxLnRpbGVz\n"
- "LmRpdHUubGl2ZS5jb22CGCoudDIudGlsZXMuZGl0dS5saXZlLmNvbYIYKi50My50\n"
- "aWxlcy5kaXR1LmxpdmUuY29tghUqLnRpbGVzLmRpdHUubGl2ZS5jb22CCzNkLmxp\n"
- "dmUuY29tghNhcGkuc2VhcmNoLmxpdmUuY29tghRiZXRhLnNlYXJjaC5saXZlLmNv\n"
- "bYIVY253ZWIuc2VhcmNoLmxpdmUuY29tggxkZXYubGl2ZS5jb22CDWRpdHUubGl2\n"
- "ZS5jb22CEWZhcmVjYXN0LmxpdmUuY29tgg5pbWFnZS5saXZlLmNvbYIPaW1hZ2Vz\n"
- "LmxpdmUuY29tghFsb2NhbC5saXZlLmNvbS5hdYIUbG9jYWxzZWFyY2gubGl2ZS5j\n"
- "b22CFGxzNGQuc2VhcmNoLmxpdmUuY29tgg1tYWlsLmxpdmUuY29tghFtYXBpbmRp\n"
- "YS5saXZlLmNvbYIObG9jYWwubGl2ZS5jb22CDW1hcHMubGl2ZS5jb22CEG1hcHMu\n"
- "bGl2ZS5jb20uYXWCD21pbmRpYS5saXZlLmNvbYINbmV3cy5saXZlLmNvbYIcb3Jp\n"
- "Z2luLmNud2ViLnNlYXJjaC5saXZlLmNvbYIWcHJldmlldy5sb2NhbC5saXZlLmNv\n"
- "bYIPc2VhcmNoLmxpdmUuY29tghJ0ZXN0Lm1hcHMubGl2ZS5jb22CDnZpZGVvLmxp\n"
- "dmUuY29tgg92aWRlb3MubGl2ZS5jb22CFXZpcnR1YWxlYXJ0aC5saXZlLmNvbYIM\n"
- "d2FwLmxpdmUuY29tghJ3ZWJtYXN0ZXIubGl2ZS5jb22CE3dlYm1hc3RlcnMubGl2\n"
- "ZS5jb22CFXd3dy5sb2NhbC5saXZlLmNvbS5hdYIUd3d3Lm1hcHMubGl2ZS5jb20u\n"
- "YXUwDQYJKoZIhvcNAQELBQADggIBADTpW/UWeupk40OP6k4yxihKStswxwqPAfMR\n"
- "mx4XyqmTAawAKRNM+6EZth1BQdPdOplwRTvs69kkmUHJH+ZjYXBezEACWkzEiNUQ\n"
- "nzkRWajdSQIz08Ubj/mBD6U8xLYD+NXgiB0xNWabd8aiPsqPaj6I3qkNw4JvtgtH\n"
- "ZQG1zlwC5/Lu6yV3DM3sKpQMyBmOnX6nVUiS0MTOzLgZOQzRk07nO7EXWGcKTmDB\n"
- "jE8cqv5IA/jQ6gtaxCI5pDxfXK4ct7oQyoChfxOXcEDKMmMndFmg9ch5c4an/FRM\n"
- "2cgzDfjR01A71LNUpLUdOjNV0T+ZEStqEpdyDFfjrHGDtzLyqEz3iyvvQFyjmlGh\n"
- "6OtZXwjCPpnVSrKCmfJKio0kUxyq+6t5tZAQbPVgFKiMrVnU+sgvmNVip1toijyz\n"
- "8vMVCkwJ2G++7xjJukoELMxZ50W4/SAMZLy1Asx02NBwYCu9+CTQPVnmPe7rmxhl\n"
- "QRBOfDNa1+5jwRHY64YudEzKhWR1uqS3ABd/fk+TL86yuNYGAgxnOm1FtOGieRgV\n"
- "iV3+NzC+bDbuUOtmbD/GvDGmRwJRcCTHL7jBmkHePh2ABY93NE/IbkaDP6l1Kw98\n"
- "AfqkzSUxhqHXuThe7KIoX9/0zv4AA1WZFis1QvAG7dpl9eio6vCdC/73HvBAlqRL\n"
- "+7Mb1uu0\n"
+ "CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDIw\n"
+ "HhcNMTkwNDMwMjA0ODAwWhcNMjEwNDMwMjA0ODAwWjAXMRUwEwYDVQQDEwx3d3cu\n"
+ "YmluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhIlPb0iP7\n"
+ "xRmUScK43QI7Ci/lvfMumWhRFAHcFzjIDHs74sq0B+ze8HW5PR6LWRe/d3yR5dC8\n"
+ "7gQs0qXGitzsP9vWJcpwKV273tlnWiEfgZx5tvNCFdHOqoYoHL3a8zed/JkGTEeX\n"
+ "ukGEX0TeBgCjcVTj5qRxJhjlWxs3AcB/q4f4vi3QG80TbSU2UO0lkvhvfs73C1jq\n"
+ "i7Zspia/YsMqcQ6X+APAZ+4guKjQr5q32tzj2FGtJO6ZmZuNV9Wwb32891UhwZ3D\n"
+ "2PrIcnCNlIQ1/Fah6im7Vc67qO2x/++r7gO7PtR8byCFnFuNUVQxhSIkCkj6FvPx\n"
+ "cYefok0wJ0VRAgMBAAGjggnIMIIJxDCCAfQGCisGAQQB1nkCBAIEggHkBIIB4AHe\n"
+ "AHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFqcApGzAAABAMA\n"
+ "RjBEAiAiASIs5j19VcTLbxcOGHQlIl62d3iy1FY8dnNq+6lebQIgchbSq2Qh78zs\n"
+ "mmucyslucBycij/FYUe3F1lNpJiB9KsAdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAl\n"
+ "CBcvo6odBxPTDAAAAWpwCkgDAAAEAwBHMEUCIQDx6RqcvDdfIY9qdAuaRFBVvSHN\n"
+ "ttpAzie3KP9AAiGvBwIgSMvjse/hJusDoRFnSTtX96ierTaqzQH4oDLLnW/Gwc0A\n"
+ "dQBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAWpwCkbmAAAEAwBG\n"
+ "MEQCICbYF6Lv93BFrwLguzmas/5gQ87fzRHkTaMxDSD7PlhRAiA/DXOeTcHaiUPQ\n"
+ "WsKbJ/7x9EWKvVisqtQMnYk6cBxbBwB2AESUZS6w7s6vxEAH2Kj+KMDa5oK+2Msx\n"
+ "tT/TM5a1toGoAAABanAKRtoAAAQDAEcwRQIgardRfR7bxwSGF212a603dXYz6O5z\n"
+ "YHpPks8/RR/AMzQCIQD4VYDD+2zVDHEjz8elkKEzhgzTdOMtc1yYhCU+eHAGkjAn\n"
+ "BgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMD4GCSsGAQQB\n"
+ "gjcVBwQxMC8GJysGAQQBgjcVCIfahnWD7tkBgsmFG4G1nmGF9OtggV2E0t9CgueT\n"
+ "egIBZAIBHTCBhQYIKwYBBQUHAQEEeTB3MFEGCCsGAQUFBzAChkVodHRwOi8vd3d3\n"
+ "Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUy\n"
+ "MENBJTIwMi5jcnQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLm1zb2NzcC5jb20w\n"
+ "HQYDVR0OBBYEFDcHtZt8HkKSRO8ETiTkCLixB9PaMAsGA1UdDwQEAwIEsDCCBW0G\n"
+ "A1UdEQSCBWQwggVgggx3d3cuYmluZy5jb22CEGRpY3QuYmluZy5jb20uY26CEyou\n"
+ "cGxhdGZvcm0uYmluZy5jb22CCiouYmluZy5jb22CCGJpbmcuY29tghZpZW9ubGlu\n"
+ "ZS5taWNyb3NvZnQuY29tghMqLndpbmRvd3NzZWFyY2guY29tghljbi5pZW9ubGlu\n"
+ "ZS5taWNyb3NvZnQuY29tghEqLm9yaWdpbi5iaW5nLmNvbYINKi5tbS5iaW5nLm5l\n"
+ "dIIOKi5hcGkuYmluZy5jb22CGGVjbi5kZXYudmlydHVhbGVhcnRoLm5ldIINKi5j\n"
+ "bi5iaW5nLm5ldIINKi5jbi5iaW5nLmNvbYIQc3NsLWFwaS5iaW5nLmNvbYIQc3Ns\n"
+ "LWFwaS5iaW5nLm5ldIIOKi5hcGkuYmluZy5uZXSCDiouYmluZ2FwaXMuY29tgg9i\n"
+ "aW5nc2FuZGJveC5jb22CFmZlZWRiYWNrLm1pY3Jvc29mdC5jb22CG2luc2VydG1l\n"
+ "ZGlhLmJpbmcub2ZmaWNlLm5ldIIOci5iYXQuYmluZy5jb22CECouci5iYXQuYmlu\n"
+ "Zy5jb22CEiouZGljdC5iaW5nLmNvbS5jboIPKi5kaWN0LmJpbmcuY29tgg4qLnNz\n"
+ "bC5iaW5nLmNvbYIQKi5hcHBleC5iaW5nLmNvbYIWKi5wbGF0Zm9ybS5jbi5iaW5n\n"
+ "LmNvbYINd3AubS5iaW5nLmNvbYIMKi5tLmJpbmcuY29tgg9nbG9iYWwuYmluZy5j\n"
+ "b22CEXdpbmRvd3NzZWFyY2guY29tgg5zZWFyY2gubXNuLmNvbYIRKi5iaW5nc2Fu\n"
+ "ZGJveC5jb22CGSouYXBpLnRpbGVzLmRpdHUubGl2ZS5jb22CDyouZGl0dS5saXZl\n"
+ "LmNvbYIYKi50MC50aWxlcy5kaXR1LmxpdmUuY29tghgqLnQxLnRpbGVzLmRpdHUu\n"
+ "bGl2ZS5jb22CGCoudDIudGlsZXMuZGl0dS5saXZlLmNvbYIYKi50My50aWxlcy5k\n"
+ "aXR1LmxpdmUuY29tghUqLnRpbGVzLmRpdHUubGl2ZS5jb22CCzNkLmxpdmUuY29t\n"
+ "ghNhcGkuc2VhcmNoLmxpdmUuY29tghRiZXRhLnNlYXJjaC5saXZlLmNvbYIVY253\n"
+ "ZWIuc2VhcmNoLmxpdmUuY29tggxkZXYubGl2ZS5jb22CDWRpdHUubGl2ZS5jb22C\n"
+ "EWZhcmVjYXN0LmxpdmUuY29tgg5pbWFnZS5saXZlLmNvbYIPaW1hZ2VzLmxpdmUu\n"
+ "Y29tghFsb2NhbC5saXZlLmNvbS5hdYIUbG9jYWxzZWFyY2gubGl2ZS5jb22CFGxz\n"
+ "NGQuc2VhcmNoLmxpdmUuY29tgg1tYWlsLmxpdmUuY29tghFtYXBpbmRpYS5saXZl\n"
+ "LmNvbYIObG9jYWwubGl2ZS5jb22CDW1hcHMubGl2ZS5jb22CEG1hcHMubGl2ZS5j\n"
+ "b20uYXWCD21pbmRpYS5saXZlLmNvbYINbmV3cy5saXZlLmNvbYIcb3JpZ2luLmNu\n"
+ "d2ViLnNlYXJjaC5saXZlLmNvbYIWcHJldmlldy5sb2NhbC5saXZlLmNvbYIPc2Vh\n"
+ "cmNoLmxpdmUuY29tghJ0ZXN0Lm1hcHMubGl2ZS5jb22CDnZpZGVvLmxpdmUuY29t\n"
+ "gg92aWRlb3MubGl2ZS5jb22CFXZpcnR1YWxlYXJ0aC5saXZlLmNvbYIMd2FwLmxp\n"
+ "dmUuY29tghJ3ZWJtYXN0ZXIubGl2ZS5jb22CE3dlYm1hc3RlcnMubGl2ZS5jb22C\n"
+ "FXd3dy5sb2NhbC5saXZlLmNvbS5hdYIUd3d3Lm1hcHMubGl2ZS5jb20uYXUwgawG\n"
+ "A1UdHwSBpDCBoTCBnqCBm6CBmIZLaHR0cDovL21zY3JsLm1pY3Jvc29mdC5jb20v\n"
+ "cGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDIuY3Js\n"
+ "hklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9z\n"
+ "b2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDIuY3JsME0GA1UdIARGMEQwQgYJKwYBBAGC\n"
+ "NyoBMDUwMwYIKwYBBQUHAgEWJ2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kv\n"
+ "bXNjb3JwL2NwczAfBgNVHSMEGDAWgBSRnjtEbD1XnEJ3KjTXT9HMSpcs2jAdBgNV\n"
+ "HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAA1g\n"
+ "NJF5ks5Qrg0/qeOXQbcO3SCs+HKTKxVL8QdaTL3s5gsmWQzcYNS671DmN4lEob2g\n"
+ "WWZKyKAzQbjDOcf9ndxX4+i+PaCw5K3uONbMOwnuOCwRvDy8YEoCb3OzKFX4sjzh\n"
+ "1HVL/ljKHUPT+9ap/SpYserNxixibqF2LZYx+9hwr1bcx9GWrg3CoFUFgSZqRQ14\n"
+ "eiK94iM5kzJLKynKPhez+UOwS5VRev1mxh5nD9hBPzXHHqI9mNWu/lyr7KPUMigi\n"
+ "QfKKZuqV6W3i1H3BoJi1uDkL3SJo1F39XN3AyGSAZWS9RNn5JzEQQGiJRjrz/PE1\n"
+ "vTg1BlbsPdKa4gGZGdGBWcj2eXZc+GbLpTy3qWlmJrEn2KGLeomyndlftRPFrBUH\n"
+ "/5Mio5OeSawjlacBV25fKaoZ1BPc3i+HGKd5ctddCy6kJsgdMD221zGvf/0uW25Z\n"
+ "ImzDeH7KkOcGbzyWJwBzDgra0RP+qRgK3aYPSWI81OLlnHJ2VOix/UU63NCK2fO/\n"
+ "URzE8KxoHrgRGXCE52viHv6ksL7QXWelbERU7GEpcZU1suPhDohn4CrfrCYCjpa5\n"
+ "Ys6ci7Rren82SsXJBfNrgm2U4lxWfzWj+2Ay6yATbdoOPntue8cbbMoTzoNMHQXD\n"
+ "2DpjtFPs8/RVOFQb0IFVluCrTAnHmI8tTtsmzg6z\n"
"-----END CERTIFICATE-----\n");
cm[RawCertificateID::BING_COM].raw_base64 = raw_base64;
cm[RawCertificateID::BING_COM].certPtr = createCert(raw_base64);
}
- // MICROSOFT_IM_CA, expires 20 May 2024
+ // Microsoft IT TLS CA 2, signed by Baltimore CyberTrust Root, expires 20 May 2024
{
std::string raw_base64(
"-----BEGIN CERTIFICATE-----\n"
- "MIIFtDCCBJygAwIBAgIQCIjNUl8ZJERNFKWCkd65UjANBgkqhkiG9w0BAQsFADBa\n"
+ "MIIFtDCCBJygAwIBAgIQDywQyVsGwJN/uNRJ+D6FaTANBgkqhkiG9w0BAQsFADBa\n"
"MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl\n"
"clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE2\n"
- "MDUyMDEyNTMwM1oXDTI0MDUyMDEyNTMwM1owgYsxCzAJBgNVBAYTAlVTMRMwEQYD\n"
+ "MDUyMDEyNTE1N1oXDTI0MDUyMDEyNTE1N1owgYsxCzAJBgNVBAYTAlVTMRMwEQYD\n"
"VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy\n"
"b3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UE\n"
- "AxMVTWljcm9zb2Z0IElUIFRMUyBDQSA1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n"
- "MIICCgKCAgEAmt+BXDuPrul5lrmaeaeB8jnaVShGIwLFgmYHthXe/Zw6GpuRCdJm\n"
- "jwuJF/hxhyF/ONM/miUAtzXQq/gIejbzUFvfKykn3qTdJJL69MZwjTYqmvCA3jX6\n"
- "HkKdCYGq1QcKFqXFWkJtQr4eQoK0VzCZW0Ur1I/TCgbGc5Ok4YPvxb8FJ6d4zbML\n"
- "4J4iFvOY3KYU6MyU1yP50FCZu7ULEJXx3wLpj46dVpk82I/TWPtckn49e/hQSVr3\n"
- "EHt3+OZKkEpVUt6UrXQJoGRXLM0HkJ8WrZXD0Qa68e9sBbUErKncGzGbDi0ZlQRP\n"
- "3mbLrTVyrxmCCLIUOhZfsDyb240MsALWJh/oFXHE7/ljOUOM6cKSLqHCoDAlDpYn\n"
- "X56jK4LWEL08GR6mh/5VITpcQfwBmMwvkv9mOLS4ZpwPEmhLSqyGu16Y/56mnFNs\n"
- "MxGk0K5SR9eLj/GWrLkpmo8s8a1kGMMmuwBk3lBwwLvsxmuu06DvwPFcDfLMelna\n"
- "GDMvWRCtZxQsXyJDSkTh6N3g51UWTgnvA0wMSFBa8APfju9jyltnh0NALAa2Hw8+\n"
- "U8BmP9cUFeYIYphIfoPlp7VdUS1ULWH9NF3Ut4DN0n3OsSQ785dsbBPeihfJivVI\n"
- "lUL3EpDjEBf2oQDFNiplkZ4F7EIuWriZG//UTrX6ZlXZg46/CCmN+gsCAwEAAaOC\n"
- "AUIwggE+MB0GA1UdDgQWBBQI/iWfdOqHBMK8u46oOF8zxtFsZTAfBgNVHSMEGDAW\n"
+ "AxMVTWljcm9zb2Z0IElUIFRMUyBDQSAyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n"
+ "MIICCgKCAgEAnqoVwRuhY1/mURjFFrsR3AtNm5EKukBJK9zWBgvFd1ksNEJFC06o\n"
+ "yRbwKPMflpW/HtOfzIeBliGk57MwZq18bgASr70sPUWuoD917HUgBfxBYoF8zA7Z\n"
+ "Ie5zAHODFboJL7Fg/apgbQs/GiZZNCi0QkQUWzw0nTUmVSNQ0mz6pCu95Dv1WMsL\n"
+ "GyPGfdN9zD3Q/QEDyJ695QgjRIxYA1DUE+54ti2k6r0ycKFQYkyWwZ25HD1h2kYt\n"
+ "3ovW85vF6y7tjTqUEcLbgKUCB81/955hdLLsbFd6f9o2PkU8xuOc3U+bUedvv6Sb\n"
+ "tvGjBEZeFyH8/CaQhzlsKMH0+OPOFv/bMqcLarPw1V1sOV1bl4W9vi2278niblzI\n"
+ "bEHt7nN888p4KNIwqCcXaGhbtS4tjn3NKI6v1d2XRyxIvCJDjgoZ09zF39Pyoe92\n"
+ "sSRikZh7xns4tQEQ8BCs4o5NBSx8UxEsgyzNSskWGEWqsIjt+7+A1skDDZv6k2o8\n"
+ "VCHNbTLFKS7d72wMI4ErpzVsBIicxaG2ezuMBBuqThxIiJ+G9zfoP9lxim/9rvJA\n"
+ "xbh3nujA1VJfkOYTJIojEAYCxR3QjEoGdapJmBle97AfqEBnwoJsu2wav8h9v+po\n"
+ "DL4h6dRzRUxY1DHypcFlXGoHu/REQgFLq2IN30/AhQLN90Pj9TT2RQECAwEAAaOC\n"
+ "AUIwggE+MB0GA1UdDgQWBBSRnjtEbD1XnEJ3KjTXT9HMSpcs2jAfBgNVHSMEGDAW\n"
"gBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud\n"
"DwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF\n"
"BwMJMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln\n"
"aWNlcnQuY29tMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0\n"
"LmNvbS9PbW5pcm9vdDIwMjUuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsG\n"
"AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEB\n"
- "CwUAA4IBAQA+8s8wpXq/HmrfOVgYKDzDne7ngcVL/Gf2vx9ON9re8K/uivkDe2Bn\n"
- "dMc72v8rSuv9VHUTi+XCgRK6UhIguimKOs1DJMzVFwX+nBY/c+BtQcB2PfKrSMVZ\n"
- "YmS6RE8KGII/Qeo/GDpY56AwV3X10WoxFLaUmWXatugB3uSr+7Xz5RkKGF+kAlfe\n"
- "tlwmb3P+Lgn1CEPED8ckf50oZ2Wh3FvwOv34cIXnpU8k3kI/HUQ7XYUGhR0eHNTZ\n"
- "TlHk/R4RFsyeANmXGpfjZceGNRtTdr4y0SxBSUujPpMMW3dXBzA8NYuM0WmiJ/pV\n"
- "6KudEB7RF9+6bInTyVvXC5SIqdi0ldeO\n"
+ "CwUAA4IBAQBsf+pqb89rW8E0rP/cDuB9ixMX4C9OWQ7EA7n0BSllR64ZmuhU9mTV\n"
+ "2L0G4HEiGXvOmt15i99wJ0ho2/dvMxm1ZeufkAfMuEc5fQ9RE5ENgNR2UCuFB2Bt\n"
+ "bVmaKUAWxscN4GpXS4AJv+/HS0VXs5Su19J0DA8Bg+lo8ekCl4dq2G1m1WsCvFBI\n"
+ "oLIjd4neCLlGoxT2jA43lj2JpQ/SMkLkLy9DXj/JHdsqJDR5ogcij4VIX8V+bVD0\n"
+ "NCw7kQa6Ulq9Zo0jDEq1at4zSeH4mV2PMM3LwIXBA2xo5sda1cnUWJo3Pq4uMgcL\n"
+ "e0t+fCut38NMkTl8F0arflspaqUVVUov\n"
"-----END CERTIFICATE-----\n");
- cm[RawCertificateID::MICROSOFT_IM_CA].raw_base64 = raw_base64;
- cm[RawCertificateID::MICROSOFT_IM_CA].certPtr = createCert(raw_base64);
+ cm[RawCertificateID::MS_IT_TLS_CA_2].raw_base64 = raw_base64;
+ cm[RawCertificateID::MS_IT_TLS_CA_2].certPtr = createCert(raw_base64);
}
- // DIGICERT_ROOT_CA, (root CA), expires 10 Nov 2031
+ // Baltimore CyberTrust Root, (root CA), expires May 13, 2025
{
std::string raw_base64 = std::string(
"-----BEGIN CERTIFICATE-----\n"
- "MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs\n"
- "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
- "d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j\n"
- "ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL\n"
- "MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3\n"
- "LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug\n"
- "RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm\n"
- "+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW\n"
- "PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM\n"
- "xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB\n"
- "Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3\n"
- "hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg\n"
- "EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF\n"
- "MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA\n"
- "FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec\n"
- "nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z\n"
- "eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF\n"
- "hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2\n"
- "Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe\n"
- "vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep\n"
- "+OkuE6N36B9K\n"
+ "MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ\n"
+ "RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD\n"
+ "VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX\n"
+ "DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y\n"
+ "ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy\n"
+ "VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr\n"
+ "mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr\n"
+ "IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK\n"
+ "mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu\n"
+ "XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy\n"
+ "dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye\n"
+ "jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1\n"
+ "BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3\n"
+ "DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92\n"
+ "9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx\n"
+ "jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0\n"
+ "Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz\n"
+ "ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS\n"
+ "R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp\n"
"-----END CERTIFICATE-----\n");
- cm[RawCertificateID::DIGICERT_ROOT_CA].raw_base64 = raw_base64;
- cm[RawCertificateID::DIGICERT_ROOT_CA].certPtr = createCert(raw_base64);
+ cm[RawCertificateID::BALTIMORE_CYBER_TRUST_ROOT].raw_base64 = raw_base64;
+ cm[RawCertificateID::BALTIMORE_CYBER_TRUST_ROOT].certPtr = createCert(raw_base64);
}
- // DIGICERT_IM_CA, signed by DIGICERT_ROOT_CA, expires 22 Oct 2028
+ // Microsoft IT TLS CA 4, signed by Baltimore CyberTrust Root, expires May 20, 2024
{
std::string raw_base64 = std::string(
"-----BEGIN CERTIFICATE-----\n"
- "MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs\n"
- "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
- "d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j\n"
- "ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL\n"
- "MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3\n"
- "LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy\n"
- "YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2\n"
- "4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC\n"
- "Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1\n"
- "itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn\n"
- "4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X\n"
- "sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft\n"
- "bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA\n"
- "MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw\n"
- "NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy\n"
- "dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t\n"
- "L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG\n"
- "BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ\n"
- "UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D\n"
- "aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd\n"
- "aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH\n"
- "E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly\n"
- "/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu\n"
- "xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF\n"
- "0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae\n"
- "cPUeybQ=\n"
+ "MIIFtDCCBJygAwIBAgIQC2qzsD6xqfbEYJJqqM3+szANBgkqhkiG9w0BAQsFADBa\n"
+ "MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl\n"
+ "clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE2\n"
+ "MDUyMDEyNTIzOFoXDTI0MDUyMDEyNTIzOFowgYsxCzAJBgNVBAYTAlVTMRMwEQYD\n"
+ "VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy\n"
+ "b3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UE\n"
+ "AxMVTWljcm9zb2Z0IElUIFRMUyBDQSA0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n"
+ "MIICCgKCAgEAq+XrXaNrOZ71NIgSux1SJl19CQvGeY6rtw7fGbLd7g/27vRW5Ebi\n"
+ "kg/iZwvjHHGk1EFztMuZFo6/d32wrx5s7XEuwwh3Sl6Sruxa0EiB0MXpoPV6jx6N\n"
+ "XtOtksDaxpE1MSC5OQTNECo8lx0AnpkYGAnPS5fkyfwA8AxanTboskDBSqyEKKo9\n"
+ "Rhgrp4qs9K9LqH5JQsdiIMDmpztd65Afu4rYnJDjOrFswpTOPjJry3GzQS65xeFd\n"
+ "2FkngvvhSA1+6ATx+QEnQfqUWn3FMLu2utcRm4j6AcxuS5K5+Hg8y5xomhZmiNCT\n"
+ "sCqDLpcRHX6BIGHksLmbnG5TlZUixtm9dRC62XWMPD8d0Jb4M0V7ex9UM+VIl6cF\n"
+ "JKLb0dyVriAqfZaJSHuSetAksd5IEfdnPLTf+Fhg9U97NGjm/awmCLbzLEPbT8QW\n"
+ "0JsMcYexB2uG3Y+gsftm2tjL6fLwZeWO2BzqL7otZPFe0BtQsgyFSs87yC4qanWM\n"
+ "wK5c2enAfH182pzjvUqwYAeCK31dyBCvLmKM3Jr94dm5WUiXQhrDUIELH4Mia+Sb\n"
+ "vCkigv2AUVx1Xw41wt1/L3pnnz2OW4y7r530zAz7qB+dIcHz51IaXc4UV21QuEnu\n"
+ "sQsn0uJpJxJuxsAmPuekKxuLUzgG+hqHOuBLf5kWTlk9WWnxcadlZRsCAwEAAaOC\n"
+ "AUIwggE+MB0GA1UdDgQWBBR6e4zBz+egyhzUa/r74TPDDxqinTAfBgNVHSMEGDAW\n"
+ "gBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud\n"
+ "DwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF\n"
+ "BwMJMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln\n"
+ "aWNlcnQuY29tMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0\n"
+ "LmNvbS9PbW5pcm9vdDIwMjUuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsG\n"
+ "AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEB\n"
+ "CwUAA4IBAQAR/nIGOiEKN27I9SkiAmKeRQ7t+gaf77+eJDUX/jmIsrsB4Xjf0YuX\n"
+ "/bd38YpyT0k66LMp13SH5LnzF2CHiJJVgr3ZfRNIfwaQOolm552W95XNYA/X4cr2\n"
+ "du76mzVIoZh90pMqT4EWx6iWu9El86ZvUNoAmyqo9DUA4/0sO+3lFZt/Fg/Hjsk2\n"
+ "IJTwHQG5ElBQmYHgKEIsjnj/7cae1eTK6aCqs0hPpF/kixj/EwItkBE2GGYoOiKa\n"
+ "3pXxWe6fbSoXdZNQwwUS1d5ktLa829d2Wf6l1uVW4f5GXDuK+OwO++8SkJHOIBKB\n"
+ "ujxS43/jQPQMQSBmhxjaMmng9tyPKPK9\n"
"-----END CERTIFICATE-----\n");
- cm[RawCertificateID::DIGICERT_IM_CA].raw_base64 = raw_base64;
- cm[RawCertificateID::DIGICERT_IM_CA].certPtr = createCert(raw_base64);
+ cm[RawCertificateID::MS_IT_TLS_CA_4].raw_base64 = raw_base64;
+ cm[RawCertificateID::MS_IT_TLS_CA_4].certPtr = createCert(raw_base64);
}
- // FACEBOOK_COM, *.facebook.com - signed by DIGICERT_IM_CA, expires 22 Mar 2019
+ // www.microsoft.com - signed by Microsoft IT TLS CA 4, expires January 16, 2020
{
std::string raw_base64 = std::string(
"-----BEGIN CERTIFICATE-----\n"
- "MIIGsjCCBZqgAwIBAgIQCzw7YBoY9Z7itrsFYF7ywDANBgkqhkiG9w0BAQsFADBw\n"
- "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
- "d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz\n"
- "dXJhbmNlIFNlcnZlciBDQTAeFw0xNzEyMTUwMDAwMDBaFw0xOTAzMjIxMjAwMDBa\n"
- "MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpN\n"
- "ZW5sbyBQYXJrMRcwFQYDVQQKEw5GYWNlYm9vaywgSW5jLjEXMBUGA1UEAwwOKi5m\n"
- "YWNlYm9vay5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASIA87IjqqM6JBX\n"
- "puN20BXCVsDjoP9wnF2rSV60qC130oLTrgfOQ3Uk1dv1R6LFCx4gs2pJUu6iDKBS\n"
- "/b+BXOUbo4IEGDCCBBQwHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjsw\n"
- "HQYDVR0OBBYEFMD9dPV9y8Yn8QPTYqJF14QcFSEIMIHHBgNVHREEgb8wgbyCDiou\n"
- "ZmFjZWJvb2suY29tgg4qLnh4LmZiY2RuLm5ldIILKi5mYnNieC5jb22CDioueHou\n"
- "ZmJjZG4ubmV0gg4qLmZhY2Vib29rLm5ldIIOKi54eS5mYmNkbi5uZXSCDyoubWVz\n"
- "c2VuZ2VyLmNvbYIGZmIuY29tggsqLmZiY2RuLm5ldIIIKi5mYi5jb22CECoubS5m\n"
- "YWNlYm9vay5jb22CDW1lc3Nlbmdlci5jb22CDGZhY2Vib29rLmNvbTAOBgNVHQ8B\n"
- "Af8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRu\n"
- "MGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZl\n"
- "ci1nNi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWhh\n"
- "LXNlcnZlci1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEF\n"
- "BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwgYMG\n"
- "CCsGAQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu\n"
- "Y29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln\n"
- "aUNlcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA\n"
- "MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY\n"
- "BPkb37jjd80OyA3cEAAAAWBXnEHoAAAEAwBHMEUCIBC3Rn4i2bhLyR344u3vl7be\n"
- "vxoi+WPJBhGT+j1gJmg5AiEAwQ3rzH1mmMSYNYKtVNDZMo+l6e8Z35t+X9NDR7Du\n"
- "gWAAdwCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWBXnEL7AAAE\n"
- "AwBIMEYCIQCRjvvPARW3J1ENmo2Nz1cxisa1BcbDuqvSrfuXkz8btAIhAPmllqgF\n"
- "8JjlVHUChiFzghsKVBeTxRagi55tgsAciaoZAHUAu9nfvB+KcbWTlCOXqpJ7RzhX\n"
- "lQqrUugakJZkNo4e0YUAAAFgV5xCUgAABAMARjBEAiBY6qdNgMoQAqVTl3zRrTmy\n"
- "+X/1f/esBUczsb3MWdZ1ZgIgXdxZNTrDBgyTzxgbVRObkqU3tZZdaiwsw4WI0xI0\n"
- "BtQwDQYJKoZIhvcNAQELBQADggEBAGu0uxZD+IRXXlFWLPvknRkXA7J08NyVKG70\n"
- "M2vDi2xF2YB8qlZgoxW8YiiV86IpwtOhYLZinSO0iCBDQmTf627LTPfuDcF6qOuO\n"
- "WFTvj1IbplPvGWIu5tNBiFWNQxFAIL2Rf+5vmIe+YezUHTLGGqwRtFa2ImS17IMk\n"
- "YjZ90LYXXO5qb1RKkFJtAvEBTbJsv8kr+J6Rx+YNJy17LnBX+MbWiyBbvUQoM3sY\n"
- "MmcWmcaQmECz9ZHWYjZeufSHbHKG6KDYLU8x6DyhgtxK2rsoIMlNnJkNHaLjw+b8\n"
- "7VCYa+EMWppvVuNyXOk9Jkbx7Q3SEoodT77kkHUX0bF2OkZy6cc=\n"
+ "MIIHnzCCBYegAwIBAgITFgAAoiZScXH3VKzEFgAAAACiJjANBgkqhkiG9w0BAQsF\n"
+ "ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT\n"
+ "B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE\n"
+ "CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDQw\n"
+ "HhcNMTgwMTE2MjEyNDAyWhcNMjAwMTE2MjEyNDAyWjCBiDELMAkGA1UEBhMCVVMx\n"
+ "CzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv\n"
+ "ZnQgQ29ycG9yYXRpb24xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEa\n"
+ "MBgGA1UEAxMRd3d3Lm1pY3Jvc29mdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+ "DwAwggEKAoIBAQDM6uKEPBupNS4BXRWdhU6RzawVP27lFo4eiAOloEHaXYM1DoPU\n"
+ "Jxxt+uyhwkk8yIZFKLK9AKX0qtqTVFOh3TFk77uGJKlfyugpVs+5sGGffhd0y2cG\n"
+ "SyOltJLcf/v31tRjeN/xNi9CeHtcK46ksqgp9kdTDd1IuxDO9fN45LRPZkRuOpNy\n"
+ "yXAHlMyVDO4Xfgt8CYH/ssmr1ZqYr98dO9iAiU+eFrz6huBCAJfFzMXWznbpwrsd\n"
+ "41TjE5zPJkHaB9BOKuLZySfEQhIRewexFtJXlT88Kj6SfIoe2naZxqDW/tQVVzRx\n"
+ "ID092mXdVEjL2MZ6GocNk1pPezqY8wOUjgA7AgMBAAGjggL7MIIC9zCBmQYDVR0R\n"
+ "BIGRMIGOghVwcml2YWN5Lm1pY3Jvc29mdC5jb22CEWMucy1taWNyb3NvZnQuY29t\n"
+ "gg1taWNyb3NvZnQuY29tghFpLnMtbWljcm9zb2Z0LmNvbYIYc3RhdGljdmlldy5t\n"
+ "aWNyb3NvZnQuY29tghF3d3cubWljcm9zb2Z0LmNvbYITd3d3cWEubWljcm9zb2Z0\n"
+ "LmNvbTAdBgNVHQ4EFgQUMqJLlf7sAXZDo1IX+BIPkeyx9OcwHwYDVR0jBBgwFoAU\n"
+ "enuMwc/noMoc1Gv6++Ezww8aop0wgawGA1UdHwSBpDCBoTCBnqCBm6CBmIZLaHR0\n"
+ "cDovL21zY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0\n"
+ "JTIwSVQlMjBUTFMlMjBDQSUyMDQuY3JshklodHRwOi8vY3JsLm1pY3Jvc29mdC5j\n"
+ "b20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDQu\n"
+ "Y3JsMIGFBggrBgEFBQcBAQR5MHcwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWlj\n"
+ "cm9zb2Z0LmNvbS9wa2kvbXNjb3JwL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0El\n"
+ "MjA0LmNydDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AubXNvY3NwLmNvbTA+Bgkr\n"
+ "BgEEAYI3FQcEMTAvBicrBgEEAYI3FQiH2oZ1g+7ZAYLJhRuBtZ5hhfTrYIFdhNLf\n"
+ "QoLnk3oCAWQCARowHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAsGA1Ud\n"
+ "DwQEAwIEsDBNBgNVHSAERjBEMEIGCSsGAQQBgjcqATA1MDMGCCsGAQUFBwIBFido\n"
+ "dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcHMwJwYJKwYBBAGC\n"
+ "NxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC\n"
+ "AgEAZQDBGHkYWARoiApsKcns0lfEuovFuh9CQ3ZMVTDjDhvls0IcuddtEvETXdB+\n"
+ "h8+vgIx4jC7SmsRrpEH28X06qEZCMd1vPP/rEI9ZYwAnzabB/HRkGsPHv/hkjVbh\n"
+ "csqYVkPyD9MYc+cgRE0Nggh+l2fIuSxrMvFw0iLsE/7ZkyiZFWfLkddu/be7gjoY\n"
+ "IbNyS6E2HQkHlexz9QBUMHERUYBuqey+c1l45WTgLJUWsqeIZJ01oekLkdkR4tg1\n"
+ "pZbnFjDeRBqFLnUU1RMHlgKodJYPMzBCkZGRk0mCZJDJcZv62HNdT/Zuz4yHLz6K\n"
+ "QcjpVZacYyqeBBqJtus5zSJKP8l9MqZYbihsmAlXZdeXPwiB+YEeGGEGi2iDV39e\n"
+ "Ss6rPCL1BYZ5kvfoBdSfTAPmviK4ezCUuBL/k4YulsrquoAC/Sz+xFVEBK+qdYXc\n"
+ "zxgFMxXnx6XjxkKGYrf33g6e/9XexHsyWolQhrmbZE3GrTmH9hbqh0bg+95qhk0o\n"
+ "q+iDWy3Lj5ZnexabBg/r+szxTNmPp0LIvMcM1YW9hkAyDYuDSB0Yee/p+ByJUeMI\n"
+ "T55F/YO/Qtqc7Z2vNvnq/229nly2lg8AVwDliH30hloIffEXMY3xJWwDUG6Uj++g\n"
+ "+838tBwUOF9wrBIwh9pI8EQLW9HUROzSg8ALy7tgVWuowFo=\n"
"-----END CERTIFICATE-----\n");
- cm[RawCertificateID::FACEBOOK_COM].raw_base64 = raw_base64;
- cm[RawCertificateID::FACEBOOK_COM].certPtr = createCert(raw_base64);
+ cm[RawCertificateID::MICROSOFT_COM].raw_base64 = raw_base64;
+ cm[RawCertificateID::MICROSOFT_COM].certPtr = createCert(raw_base64);
}
return cm;
capi-testcases.cpp
encryption-decryption-env.cpp
encryption-decryption.cpp
+ sign-verify.cpp
main.cpp
)
RUNNER_TEST(T3045_save_big_data_C_API, RemoveDataEnv<USER_APP>)
{
-#ifdef TZ_BACKEND
+ // We don't know which backend will be used
const size_t BIG_SIZE = 100000;
-#else
- const size_t BIG_SIZE = 5000000;
-#endif
std::vector<char> big_data(BIG_SIZE);
std::ifstream is("/dev/urandom", std::ifstream::binary);
/*
- * Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include <string>
#include <vector>
-#include <map>
-#include <sstream>
+#include <unordered_map>
#include <dpl/test/test_runner.h>
#include <ckm-common.h>
#include <ckmc/ckmc-manager.h>
+#include <ckmc/ckmc-control.h>
#include <ckm/ckm-type.h>
#include <ckm/ckm-manager.h>
#include <encryption-decryption-env.h>
return g_api->encrypt(params, key_alias, password, decrypted, ppencrypted);
}
-// Policy backend to use in subsequent operations (global for each test case)
-PolicyBackend g_backend = PolicyBackend::DEFAULT;
-
-class testBackend {
-public:
- testBackend(PolicyBackend backend){
- m_backend = g_backend;
- g_backend = backend;
- }
-
- virtual ~testBackend(){
- //restore in destructor
- g_backend = m_backend;
- }
-private:
- PolicyBackend m_backend;
-};
-
inline CKM::Password _tostring(const char *str)
{
return (str == nullptr) ? Password() : Password(str);
Alias pub;
};
-class EncEnv : public RemoveDataEnv<UID> {
-public:
- EncEnv() : m_dbu(NULL) {}
- ~EncEnv() { delete m_dbu; }
-
- void init(const std::string& str) {
- RemoveDataEnv<UID>::init(str);
- m_dbu = new ScopedDBUnlock(UID, "db-pass"); // unlock user's database
+struct SyncEnv {
+ void init(const std::string&) {
+ g_api = &g_syncApi;
}
void finish() {
- delete m_dbu;
- m_dbu = NULL;
- RemoveDataEnv<UID>::finish();
- g_api = NULL;
- }
-
- ScopedDBUnlock* m_dbu;
-};
-
-struct SyncEnv : public EncEnv {
- void init(const std::string& str) {
- EncEnv::init(str);
- g_api = &g_syncApi;
+ g_api = nullptr;
}
static std::string suffix() { return "_sync"; }
};
-struct AsyncEnv : public EncEnv {
- void init(const std::string& str) {
- EncEnv::init(str);
+struct AsyncEnv {
+ void init(const std::string&) {
g_api = &g_asyncApi;
}
+ void finish() {
+ g_api = nullptr;
+ }
+
static std::string suffix() { return "_async"; }
};
-struct AlgoBase {
- ckmc_algo_type_e m_type;
- size_t m_keyLen;
-
- AlgoBase(ckmc_algo_type_e type, size_t keyLen) : m_type(type), m_keyLen(keyLen) {}
-
- virtual KeyAliasPair keyGen(const char* pass = nullptr, const char* suffix = nullptr) = 0;
+struct Algo {
+ ckmc_algo_type_e type;
+ size_t keyLen;
};
-typedef std::shared_ptr<AlgoBase> AlgoBasePtr;
+std::unordered_map<size_t, std::vector<Alias>> g_symKeys;
+std::unordered_map<size_t, std::vector<KeyAliasPair>> g_asymKeys;
-template <typename T>
-AlgoBasePtr createAlgo(ckmc_algo_type_e type, size_t keyLen) {
- return AlgoBasePtr(new T(type, keyLen));
-}
+enum KeyIdx {
+ PRIMARY = 0,
+ PASSWORD_PROTECTED = 1,
-struct AlgoAes : public AlgoBase {
- AlgoAes(ckmc_algo_type_e type, size_t keyLen) : AlgoBase(type, keyLen) {}
- KeyAliasPair keyGen(const char* pass = nullptr, const char* suffix = nullptr);
+ KEY_IDX_MAX
};
-KeyAliasPair AlgoAes::keyGen(const char* pass, const char* suffix)
-{
- KeyAliasPair aliases;
- std::ostringstream oss;
- std::string ownerId = getOwnerIdFromSelf();
- CharPtr passPtr(nullptr, free);
- if (pass)
- passPtr.reset(strdup(pass));
+RawBufferPtr PLAIN_DATA;
+RawBufferPtr BIG_DATA;
+ckmc_raw_buffer_s* DEFAULT_IV;
+ckmc_raw_buffer_s* IV11;
+ckmc_raw_buffer_s* IV12;
+ckmc_raw_buffer_s* IV15;
+ckmc_raw_buffer_s* IV17;
+ckmc_raw_buffer_s* IV128;
+ckmc_raw_buffer_s* AAD32;
+ckmc_raw_buffer_s* AAD64;
- oss << "aes_" << static_cast<int>(m_type) << "_" << m_keyLen << "_key_alias";
- if (suffix)
- oss << suffix;
- aliases.prv = aliasWithLabel(ownerId.c_str(),oss.str().c_str());
- aliases.pub = aliasWithLabel(ownerId.c_str(), oss.str().c_str());
+KeyAliasPair getKey(const Algo& algo, KeyIdx idx)
+{
+ if (algo.type == CKMC_ALGO_RSA_OAEP)
+ return g_asymKeys[algo.keyLen][idx];
- ckmc_policy_s policy;
- policy.extractable = false;
- policy.password = passPtr.get();
+ KeyAliasPair pair;
+ pair.prv = g_symKeys[algo.keyLen][idx];
+ pair.pub = pair.prv;
+ return pair;
+}
- auto mgr = CKM::Manager::create();
- RUNNER_ASSERT_MSG(CKM_API_SUCCESS == mgr->createKeyAES(m_keyLen, Alias(aliases.prv.c_str()),
- _toCkmPolicy(policy, g_backend)),
- "AES key creation failed");
+class EncGroupFixture: public DPL::Test::TestGroup
+{
+public:
+ void Init() override
+ {
+ remove_user_data(UID);
+ int ret = ckmc_unlock_user_key(UID, "db-pass");
+ if (ret != CKMC_ERROR_NONE)
+ RUNNER_ERROR_MSG("DB unlock failed: " << CKMCErrorToString(ret));
+
+ // Policy backend to use in subsequent operations (global for each test case)
+#ifdef TZ_BACKEND
+ m_backend = PolicyBackend::FORCE_HARDWARE;
+#else
+ m_backend = PolicyBackend::FORCE_SOFTWARE;
+#endif
+
+ // generate keys
+ m_manager = Manager::create();
+ generateSymmetricKeys(128);
+ generateSymmetricKeys(192);
+ generateSymmetricKeys(256);
+ generateRsaKeys(1024);
+ generateRsaKeys(2048);
+ generateRsaKeys(4096);
+
+ PLAIN_DATA = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
+#ifdef TZ_BACKEND
+ BIG_DATA = create_raw_buffer(createRandomBufferCAPI(1000));
+#else
+ BIG_DATA = create_raw_buffer(createRandomBufferCAPI(5000000));
+#endif
+ DEFAULT_IV = createRandomBufferCAPI(DEFAULT_IV_LEN);
+ IV11 = createRandomBufferCAPI(11);
+ IV12 = createRandomBufferCAPI(12);
+ IV15 = createRandomBufferCAPI(15);
+ IV17 = createRandomBufferCAPI(17);
+ IV128 = createRandomBufferCAPI(128);
+ AAD32 = createRandomBufferCAPI(32);
+ AAD64 = createRandomBufferCAPI(64);
+ }
- return aliases;
-}
+ void generateSymmetricKeys(size_t bitLen)
+ {
+ for (int i = 0; i < KEY_IDX_MAX; i++)
+ {
+ Policy p(Password(), false, m_backend);
+ if (i == PASSWORD_PROTECTED)
+ p.password.assign(PASSWORD);
+
+ std::string alias = std::string("skey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i);
+ int ret = m_manager->createKeyAES(bitLen, alias, p);
+ if (ret != CKM_API_SUCCESS)
+ RUNNER_ERROR_MSG("AES key creation failed");
+
+ g_symKeys[bitLen].push_back(alias);
+ }
+ }
-struct AlgoRsa : public AlgoBase {
- AlgoRsa(ckmc_algo_type_e type, size_t keyLen) : AlgoBase(type, keyLen) {}
- KeyAliasPair keyGen(const char* pass = nullptr, const char* suffix = nullptr);
-};
+ void generateRsaKeys(size_t bitLen)
+ {
+ for (int i = 0; i < KEY_IDX_MAX; i++)
+ {
+ Policy prvPolicy(Password(), false, m_backend);
+ Policy pubPolicy(Password(), true, m_backend);
+ if (i == PASSWORD_PROTECTED) {
+ prvPolicy.password.assign(PASSWORD);
+ pubPolicy.password.assign(PASSWORD);
+ }
+
+ KeyAliasPair alias;
+ alias.prv = std::string("akey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i);
+ alias.pub = std::string("pub") + alias.prv;
+ int ret = m_manager->createKeyPairRSA(bitLen, alias.prv, alias.pub, prvPolicy, pubPolicy);
+ if (ret != CKM_API_SUCCESS)
+ RUNNER_ERROR_MSG("RSA key creation failed");
+
+ g_asymKeys[bitLen].push_back(alias);
+ }
+ }
-KeyAliasPair AlgoRsa::keyGen(const char* pass, const char* suffix)
-{
- std::ostringstream oss_prv, oss_pub;
- oss_prv << "rsa_oaep_prv_alias_" << m_keyLen;
- oss_pub << "rsa_oaep_pub_alias_" << m_keyLen;
- if (suffix) {
- oss_prv << suffix;
- oss_pub << suffix;
+ void Finish() override
+ {
+ for (const auto &entry : g_asymKeys) {
+ for (const auto &keyPair : entry.second) {
+ m_manager->removeAlias(keyPair.prv);
+ m_manager->removeAlias(keyPair.pub);
+ }
+ }
+
+ for (const auto &entry : g_symKeys) {
+ for (const auto &key : entry.second) {
+ m_manager->removeAlias(key);
+ }
+ }
+
+ BIG_DATA.reset();
+ PLAIN_DATA.reset();
+ ckmc_buffer_free(AAD64);
+ ckmc_buffer_free(AAD32);
+ ckmc_buffer_free(IV128);
+ ckmc_buffer_free(IV17);
+ ckmc_buffer_free(IV15);
+ ckmc_buffer_free(IV12);
+ ckmc_buffer_free(IV11);
+ ckmc_buffer_free(DEFAULT_IV);
+
+ int ret = ckmc_lock_user_key(UID);
+ if (ret != CKMC_ERROR_NONE)
+ RUNNER_ERROR_MSG("DB lock failed: " << CKMCErrorToString(ret));
+ remove_user_data(UID);
}
- KeyAliasPair aliases = {
- aliasWithLabel(getOwnerIdFromSelf().c_str(), oss_prv.str().c_str()),
- aliasWithLabel(getOwnerIdFromSelf().c_str(), oss_pub.str().c_str())
- };
- CharPtr passPtr(nullptr, free);
- if (pass)
- passPtr.reset(strdup(pass));
-
- ckmc_policy_s policyPrv;
- policyPrv.password = passPtr.get();
- policyPrv.extractable = 0;
-
- ckmc_policy_s policyPub;
- policyPub.password = passPtr.get();
- policyPub.extractable = 0;
-
- auto mgr = CKM::Manager::create();
-
- RUNNER_ASSERT_MSG(CKM_API_SUCCESS == mgr->createKeyPairRSA(static_cast<int>(m_keyLen),
- CKM::Alias(aliases.prv.c_str()),
- CKM::Alias(aliases.pub.c_str()),
- _toCkmPolicy(policyPrv, g_backend),
- _toCkmPolicy(policyPub, g_backend)), "RSA key pair generation failed" );
- return aliases;
-}
-
-enum Algorithm {
- AES_CBC_128,
- AES_CBC_192,
- AES_CBC_256,
- AES_GCM_128,
- AES_GCM_192,
- AES_GCM_256,
- AES_CTR_128,
- AES_CTR_192,
- AES_CTR_256,
- AES_CFB_128,
- AES_CFB_192,
- AES_CFB_256,
- RSA_OAEP_1024,
- RSA_OAEP_2048,
- RSA_OAEP_4096,
+private:
+ ManagerShPtr m_manager;
+ PolicyBackend m_backend;
};
-std::map<Algorithm, AlgoBasePtr> g_algorithms = {
- { AES_CBC_128, createAlgo<AlgoAes>(CKMC_ALGO_AES_CBC, 128) },
- { AES_CBC_192, createAlgo<AlgoAes>(CKMC_ALGO_AES_CBC, 192) },
- { AES_CBC_256, createAlgo<AlgoAes>(CKMC_ALGO_AES_CBC, 256) },
- { AES_GCM_128, createAlgo<AlgoAes>(CKMC_ALGO_AES_GCM, 128) },
- { AES_GCM_192, createAlgo<AlgoAes>(CKMC_ALGO_AES_GCM, 192) },
- { AES_GCM_256, createAlgo<AlgoAes>(CKMC_ALGO_AES_GCM, 256) },
- { AES_CTR_128, createAlgo<AlgoAes>(CKMC_ALGO_AES_CTR, 128) },
- { AES_CTR_192, createAlgo<AlgoAes>(CKMC_ALGO_AES_CTR, 192) },
- { AES_CTR_256, createAlgo<AlgoAes>(CKMC_ALGO_AES_CTR, 256) },
- { AES_CFB_128, createAlgo<AlgoAes>(CKMC_ALGO_AES_CFB, 128) },
- { AES_CFB_192, createAlgo<AlgoAes>(CKMC_ALGO_AES_CFB, 192) },
- { AES_CFB_256, createAlgo<AlgoAes>(CKMC_ALGO_AES_CFB, 256) },
- { RSA_OAEP_1024, createAlgo<AlgoRsa>(CKMC_ALGO_RSA_OAEP, 1024) },
- { RSA_OAEP_2048, createAlgo<AlgoRsa>(CKMC_ALGO_RSA_OAEP, 2048) },
- { RSA_OAEP_4096, createAlgo<AlgoRsa>(CKMC_ALGO_RSA_OAEP, 4096) },
-};
void setParam(ParamListPtr& params, ckmc_param_name_e name, ckmc_raw_buffer_s* buffer)
{
Alias pubKey;
};
-EncryptionResult encrypt(const AlgoBasePtr& algo,
+EncryptionResult encrypt(const Algo& algo,
const RawBufferPtr& plain,
const char* pass = nullptr)
{
EncryptionResult ret;
ckmc_raw_buffer_s* encrypted = nullptr;
- KeyAliasPair aliases = algo->keyGen(pass);
+ KeyAliasPair aliases = getKey(algo, pass == nullptr ? PRIMARY : PASSWORD_PROTECTED);
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ret.params = ParamListPtr(handle, ckmc_param_list_free);
- setParam(ret.params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+ setParam(ret.params, CKMC_PARAM_ED_IV, DEFAULT_IV);
assert_crypto_positive(apiEncrypt,
ret.params.get(),
}
void testAllAlgorithms(
- const std::function<void(const AlgoBasePtr& algo)>& test)
-{
- for(const auto& it : g_algorithms)
- test(it.second);
-}
-
-void testNoIvEnc(Algorithm type)
+ const std::function<void(const Algo& algo)>& test)
+{
+ test( { CKMC_ALGO_AES_CBC, 128 });
+ test( { CKMC_ALGO_AES_CBC, 192 });
+ test( { CKMC_ALGO_AES_CBC, 256 });
+ test( { CKMC_ALGO_AES_GCM, 128 });
+ test( { CKMC_ALGO_AES_GCM, 192 });
+ test( { CKMC_ALGO_AES_GCM, 256 });
+ test( { CKMC_ALGO_AES_CTR, 128 });
+ test( { CKMC_ALGO_AES_CTR, 192 });
+ test( { CKMC_ALGO_AES_CTR, 256 });
+ test( { CKMC_ALGO_AES_CFB, 128 });
+ test( { CKMC_ALGO_AES_CFB, 192 });
+ test( { CKMC_ALGO_AES_CFB, 256 });
+ test( { CKMC_ALGO_RSA_OAEP, 1024 });
+ test( { CKMC_ALGO_RSA_OAEP, 2048 });
+ test( { CKMC_ALGO_RSA_OAEP, 4096 });
+}
+
+void testNoIvEnc(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* encrypted = nullptr;
// add key
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
// param list with algo type only
ParamListPtr params = createParamListPtr();
- setParam(params, CKMC_PARAM_ALGO_TYPE, algo->m_type);
+ setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type);
assert_crypto_invalid_param(apiEncrypt,
params.get(),
aliases.pub.c_str(),
nullptr,
- *plain.get(),
+ *PLAIN_DATA.get(),
&encrypted);
}
-void testNoIvDec(Algorithm type)
+void testNoIvDec(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// encrypt;
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
// param list with algo type only
ParamListPtr params = createParamListPtr();
- setParam(params, CKMC_PARAM_ALGO_TYPE, algo->m_type);
+ setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type);
assert_crypto_invalid_param(apiDecrypt,
params.get(),
ret.prvKey.c_str(),
&decrypted);
}
-void testInvalidIvEnc(Algorithm type)
+void testInvalidIvEnc(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* encryptedTmp = nullptr;
// add key
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
// setup params
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
// invalid encryption
params.get(),
aliases.pub.c_str(),
nullptr,
- *plain.get(),
+ *PLAIN_DATA.get(),
&encryptedTmp);
ckmc_buffer_free(encryptedTmp);
encryptedTmp = nullptr;
};
// invalid iv size
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN-1));
+ setParam(params, CKMC_PARAM_ED_IV, IV15);
test();
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN+1));
+ setParam(params, CKMC_PARAM_ED_IV, IV17);
test();
};
-void testInvalidIvDec(Algorithm type)
+void testInvalidIvDec(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// valid encryption
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
// decryption
auto test2 = [&](){
};
// invalid iv size
- setParam(ret.params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN-1));
+ setParam(ret.params, CKMC_PARAM_ED_IV, IV15);
test2();
- setParam(ret.params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN+1));
+ setParam(ret.params, CKMC_PARAM_ED_IV, IV17);
test2();
};
-void encryptionWithCustomData(Algorithm type, ckmc_param_name_e name)
+void encryptionWithCustomData(const Algo& algo, ckmc_param_name_e name)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* encrypted = nullptr;
ckmc_raw_buffer_s* decrypted = nullptr;
// add key
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
// setup params
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+ setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
// set AAD
- setParam(params, name, createRandomBufferCAPI(64));
+ setParam(params, name, AAD64);
// encrypt
assert_crypto_positive(apiEncrypt,
params.get(),
aliases.pub.c_str(),
nullptr,
- *plain.get(),
+ *PLAIN_DATA.get(),
&encrypted);
RawBufferPtr tmpEnc = create_raw_buffer(encrypted);
RawBufferPtr tmpDec = create_raw_buffer(decrypted);
// check
- assert_buffers_equal(*plain.get(), *tmpDec.get());
+ assert_buffers_equal(*PLAIN_DATA.get(), *tmpDec.get());
tmpDec.reset();
decrypted = nullptr;
// set wrong AAD
- setParam(params, name, createRandomBufferCAPI(32));
+ setParam(params, name, AAD32);
// decrypt
assert_crypto_result(EncryptionError::INVALID_PARAM,
&decrypted);
}
-void testGcmIvSize(size_t size,
+void testGcmIvSize(ckmc_raw_buffer_s* iv,
const KeyAliasPair& aliases,
EncryptionError error = EncryptionError::SUCCESS)
{
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
RawBufferPtr encrypted;
RawBufferPtr decrypted;
ckmc_raw_buffer_s* encryptedTmp = nullptr;
ckmc_param_list_h handle = NULL;
assert_positive(ckmc_generate_new_params, CKMC_ALGO_AES_GCM, &handle);
ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(size));
+ setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
+ setParam(params, CKMC_PARAM_ED_IV, iv);
// encryption
assert_crypto_result(error,
params.get(),
aliases.pub.c_str(),
nullptr,
- *plain.get(),
+ *PLAIN_DATA.get(),
&encryptedTmp);
if(error != EncryptionError::SUCCESS)
&decryptedTmp);
decrypted = create_raw_buffer(decryptedTmp);
- assert_buffers_equal(*plain.get(), *decrypted.get());
+ assert_buffers_equal(*PLAIN_DATA.get(), *decrypted.get());
}
-void testIntegrity(Algorithm type)
+void testIntegrity(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// encrypt
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
// break the encrypted data
ret.encrypted->data[BUF_LEN/2]++;
&decrypted);
RawBufferPtr tmp = create_raw_buffer(decrypted);
- assert_buffers_equal(*plain.get(), *decrypted, false);
+ assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false);
}
-void testCtrEncryptionInvalidLength(Algorithm type)
+void testCtrEncryptionInvalidLength(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* encryptedTmp = nullptr;
// add AES CTR key
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
// setup params
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+ setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
// encryption
auto test = [&](){
params.get(),
aliases.pub.c_str(),
nullptr,
- *plain.get(),
+ *PLAIN_DATA.get(),
&encryptedTmp);
ckmc_buffer_free(encryptedTmp);
encryptedTmp = nullptr;
test();
}
-void testCtrEncryptionValidLength(Algorithm type)
+void testCtrEncryptionValidLength(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* encryptedTmp = nullptr;
// add AES CTR key
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
// setup params
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+ setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
// encryption
auto test = [&](){
params.get(),
aliases.pub.c_str(),
nullptr,
- *plain.get(),
+ *PLAIN_DATA.get(),
&encryptedTmp);
ckmc_buffer_free(encryptedTmp);
encryptedTmp = nullptr;
test();
}
-void testCtrDecryptionInvalidLength(Algorithm type)
+void testCtrDecryptionInvalidLength(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// add AES CTR key & encrypt
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
// decryption
auto test = [&](){
test();
}
-void testCtrDecryptionValidLength(Algorithm type)
+void testCtrDecryptionValidLength(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// add AES CTR key & encrypt
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
// decryption
auto test = [&](){
&decrypted);
ckmc_buffer_free(decrypted);
RawBufferPtr tmp = create_raw_buffer(decrypted);
- assert_buffers_equal(*plain.get(), *decrypted);
+ assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
};
// invalid counter size
setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 1);
test();
}
-void testGcmEncryptionTagLen(Algorithm type)
+void testGcmEncryptionTagLen(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* encryptedTmp = nullptr;
// add AES GCM key
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
// setup params
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+ setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
std::vector<TagTest> testData = {
// illegal tag lengths
{ 116, EncryptionError::INVALID_PARAM },
{ 124, EncryptionError::INVALID_PARAM },
{ 256, EncryptionError::INVALID_PARAM },
+#ifdef TZ_BACKEND
+ { 32, EncryptionError::INVALID_PARAM },
+ { 64, EncryptionError::INVALID_PARAM },
+ // legal tag lengths
+#else
// legal tag lengths
{ 32, EncryptionError::SUCCESS },
{ 64, EncryptionError::SUCCESS },
+#endif
+
{ 96, EncryptionError::SUCCESS },
{ 104, EncryptionError::SUCCESS },
{ 112, EncryptionError::SUCCESS },
params.get(),
aliases.pub.c_str(),
nullptr,
- *plain.get(),
+ *PLAIN_DATA.get(),
&encryptedTmp);
ckmc_buffer_free(encryptedTmp);
encryptedTmp = nullptr;
}
}
-void testGcmDecryptionTagLen(Algorithm type)
+void testGcmDecryptionTagLen(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// add AES GCM key & encrypt
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
std::vector<TagTest> testData = {
// illegal tag lengths
}
}
-void testGcmWrongTag(Algorithm type)
+void testGcmWrongTag(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// encrypt with AES GCM
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
// modify tag (last 16B of encrypted message)
ret.encrypted->data[ret.encrypted->size-1]++;
&decrypted);
}
-void testGcmDifferentIvSizes(Algorithm type)
+void testGcmDifferentIvSizes(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// add AES GCM key
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
- testGcmIvSize(11, aliases, EncryptionError::SERVER_ERROR); // 12B is the smallest
- testGcmIvSize(12, aliases);
- testGcmIvSize(17, aliases);
- testGcmIvSize(128, aliases);
+ testGcmIvSize(IV11, aliases, EncryptionError::SERVER_ERROR); // 12B is the smallest
+ testGcmIvSize(IV12, aliases);
+ testGcmIvSize(IV17, aliases);
+ testGcmIvSize(IV128, aliases);
}
-void testEncryptDecryptBigData(Algorithm type)
+void testEncryptDecryptBigData(const Algo& algo)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
-
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(5000000));
ckmc_raw_buffer_s* decrypted = nullptr;
// encrypt
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, BIG_DATA);
assert_positive(apiDecrypt,
ret.params.get(),
&decrypted);
RawBufferPtr tmp = create_raw_buffer(decrypted);
- assert_buffers_equal(*plain.get(), *decrypted);
+ assert_buffers_equal(*BIG_DATA.get(), *decrypted);
}
-void testEncryptDecryptDifferentKeys(Algorithm type, bool success)
+void testEncryptDecryptDifferentKeys(const Algo& algo, bool success)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// encrypt
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
- // add different key
- KeyAliasPair differentKeys = algo->keyGen(nullptr, "_wrong");
+ // get different keys
+ KeyAliasPair differentKeys = getKey(algo, PASSWORD_PROTECTED);
if (success) {
// some algorithms don't verify key validity
assert_crypto_positive(apiDecrypt,
ret.params.get(),
differentKeys.prv.c_str(),
- nullptr,
+ PASSWORD,
*ret.encrypted.get(),
&decrypted);
RawBufferPtr tmp = create_raw_buffer(decrypted);
- assert_buffers_equal(*plain.get(), *decrypted, false);
+ assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false);
} else {
- assert_crypto_result(EncryptionError::INVALID_PARAM,
+ assert_crypto_result(EncryptionError::INVALID_PARAM,
apiDecrypt,
ret.params.get(),
differentKeys.prv.c_str(),
- nullptr,
+ PASSWORD,
*ret.encrypted.get(),
&decrypted);
- }
-
- // Cleanup before testing next algorithm. Ignore results because not all keys are present
- ckmc_remove_alias(ret.prvKey.c_str());
- ckmc_remove_alias(ret.pubKey.c_str());
- ckmc_remove_alias(differentKeys.prv.c_str());
- ckmc_remove_alias(differentKeys.pub.c_str());
+ }
}
-void testRsaLongestData(Algorithm type, size_t dataSize)
+void testRsaLongestData(const Algo& algo, size_t dataSize)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
// prepare buffers
RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize));
ckmc_raw_buffer_s* decrypted = nullptr;
assert_buffers_equal(*plain.get(), *decrypted);
}
-void testRsaDataTooLong(Algorithm type, size_t dataSize)
+void testRsaDataTooLong(const Algo& algo, size_t dataSize)
{
- const AlgoBasePtr& algo = g_algorithms.at(type);
// prepare buffers
RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize));
// encrypt
EncryptionResult ret;
ckmc_raw_buffer_s* encrypted = nullptr;
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ret.params = ParamListPtr(handle, ckmc_param_list_free);
assert_crypto_result(EncryptionError::INVALID_PARAM,
apiEncrypt,
} // namespace anonymous
-
-RUNNER_TEST_GROUP_INIT(CKM_ENCRYPTION_DECRYPTION);
+RUNNER_TEST_GROUP_INIT_ENV(CKM_ENCRYPTION_DECRYPTION, EncGroupFixture);
/////////////////////////////////////////
// Generic encryption decryption tests
RUNNER_TEST_MULTIPLE(TED_0010_encrypt_invalid_param_list, SyncEnv, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
+ testAllAlgorithms([](const Algo& algo){
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* encrypted = nullptr;
// add key
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
// null param list
assert_crypto_invalid_param(apiEncrypt,
nullptr,
aliases.pub.c_str(),
nullptr,
- *plain.get(),
+ *PLAIN_DATA.get(),
&encrypted);
// empty param list
params.get(),
aliases.pub.c_str(),
nullptr,
- *plain.get(),
+ *PLAIN_DATA.get(),
&encrypted);
});
}
RUNNER_TEST_MULTIPLE(TED_0020_encrypt_missing_key, SyncEnv, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
+ testAllAlgorithms([](const Algo& algo){
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* encrypted = nullptr;
// setup params
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+ setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
assert_crypto_result(EncryptionError::ALIAS_UNKNOWN,
apiEncrypt,
params.get(),
"non-existing-key-alias",
nullptr,
- *plain.get(),
+ *PLAIN_DATA.get(),
&encrypted);
});
}
RUNNER_TEST_MULTIPLE(TED_0030_encrypt_no_plain_text, SyncEnv, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
+ testAllAlgorithms([](const Algo& algo){
// prepare buffers
ckmc_raw_buffer_s plain = { nullptr, 0 };
ckmc_raw_buffer_s* encrypted = nullptr;
// add key
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
// setup params
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+ setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
assert_crypto_invalid_param(apiEncrypt,
params.get(),
RUNNER_TEST_MULTIPLE(TED_0040_encrypt_no_output_buffer, SyncEnv, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
+ testAllAlgorithms([](const Algo& algo){
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s** encrypted = nullptr;
// add key
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
// setup params
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+ setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
assert_crypto_invalid_param(apiEncrypt,
params.get(),
aliases.pub.c_str(),
nullptr,
- *plain.get(),
+ *PLAIN_DATA.get(),
encrypted);
});
}
RUNNER_TEST_MULTIPLE(TED_0110_decrypt_invalid_param_list, SyncEnv, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
+ testAllAlgorithms([](const Algo& algo){
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// encrypt;
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
// null param list
assert_crypto_invalid_param(apiDecrypt,
RUNNER_TEST_MULTIPLE(TED_0120_decrypt_missing_key, SyncEnv, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
+ testAllAlgorithms([](const Algo& algo){
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// encrypt
- auto ret = encrypt(algo, plain);
-
- // remove key
- assert_positive(ckmc_remove_alias, ret.prvKey.c_str());
+ auto ret = encrypt(algo, PLAIN_DATA);
// try to decrypt
assert_crypto_result(EncryptionError::ALIAS_UNKNOWN,
apiDecrypt,
ret.params.get(),
- ret.prvKey.c_str(),
+ "non-existent-key",
nullptr,
*ret.encrypted.get(),
&decrypted);
RUNNER_TEST_MULTIPLE(TED_0130_decrypt_no_encrypted_text, SyncEnv, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
+ testAllAlgorithms([](const Algo& algo){
// prepare buffers
ckmc_raw_buffer_s encrypted = { nullptr, 0 };
ckmc_raw_buffer_s* decrypted = nullptr;
// add key
- KeyAliasPair aliases = algo->keyGen();
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
// setup params
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+ setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
assert_crypto_invalid_param(apiDecrypt,
params.get(),
RUNNER_TEST_MULTIPLE(TED_0140_decrypt_no_output_buffer, SyncEnv, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
+ testAllAlgorithms([](const Algo& algo){
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s** decrypted = nullptr;
// encrypt
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
assert_crypto_invalid_param(apiDecrypt,
ret.params.get(),
RUNNER_TEST_MULTIPLE(TED_0200_encrypt_decrypt_different_keys, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptDifferentKeys(AES_CBC_128, false);
- testEncryptDecryptDifferentKeys(AES_CBC_192, false);
- testEncryptDecryptDifferentKeys(AES_CBC_256, false);
- testEncryptDecryptDifferentKeys(AES_GCM_128, false);
- testEncryptDecryptDifferentKeys(AES_GCM_192, false);
- testEncryptDecryptDifferentKeys(AES_GCM_256, false);
- testEncryptDecryptDifferentKeys(AES_CTR_128, true);
- testEncryptDecryptDifferentKeys(AES_CTR_192, true);
- testEncryptDecryptDifferentKeys(AES_CTR_256, true);
- testEncryptDecryptDifferentKeys(AES_CFB_128, true);
- testEncryptDecryptDifferentKeys(AES_CFB_192, true);
- testEncryptDecryptDifferentKeys(AES_CFB_256, true);
- testEncryptDecryptDifferentKeys(RSA_OAEP_1024, false);
- testEncryptDecryptDifferentKeys(RSA_OAEP_2048, false);
- testEncryptDecryptDifferentKeys(RSA_OAEP_4096, false);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 128}, false);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 192}, false);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 256}, false);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 128}, true);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 192}, true);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 256}, true);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 128}, true);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 192}, true);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 256}, true);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 1024}, false);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 2048}, false);
+ testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 4096}, false);
}
RUNNER_TEST_MULTIPLE(TED_0300_encrypt_decrypt, SyncEnv, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
+ testAllAlgorithms([](const Algo& algo){
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// encrypt
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
assert_crypto_positive(apiDecrypt,
ret.params.get(),
&decrypted);
RawBufferPtr tmp = create_raw_buffer(decrypted);
- assert_buffers_equal(*plain.get(), *decrypted);
+ assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
});
}
RUNNER_TEST_MULTIPLE(TED_0310_encrypt_decrypt_password, SyncEnv, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
+ testAllAlgorithms([](const Algo& algo){
// prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
ckmc_raw_buffer_s* decrypted = nullptr;
// encrypt
- auto ret = encrypt(algo, plain, PASSWORD);
+ auto ret = encrypt(algo, PLAIN_DATA, PASSWORD);
// wrong password
assert_crypto_result(EncryptionError::AUTH_FAILED,
&decrypted);
RawBufferPtr tmp = create_raw_buffer(decrypted); // guarantees deletion
- assert_buffers_equal(*plain.get(), *decrypted);
+ assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
});
}
// long test split into smaller ones
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cbc_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_128, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_CBC_128);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 128});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cbc_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_192, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_CBC_192);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 192});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cbc_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_256, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_CBC_256);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 256});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_gcm_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_128, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_GCM_128);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 128});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_gcm_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_192, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_GCM_192);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 192});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_gcm_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_256, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_GCM_256);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 256});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_ctr_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_128, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_CTR_128);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 128});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_ctr_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_192, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_CTR_192);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 192});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_ctr_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_256, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_CTR_256);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 256});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cfb_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_128, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_CFB_128);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 128});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cfb_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_192, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_CFB_192);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 192});
}
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cfb_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_256, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testEncryptDecryptBigData(AES_CFB_256);
+ testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 256});
}
/////////////////////////////////////////
RUNNER_TEST_MULTIPLE(TED_1005_no_iv_enc, SyncEnv, AsyncEnv)
{
- testNoIvEnc(AES_CTR_128);
- testNoIvEnc(AES_CTR_192);
- testNoIvEnc(AES_CTR_256);
- testNoIvEnc(AES_CBC_128);
- testNoIvEnc(AES_CBC_192);
- testNoIvEnc(AES_CBC_256);
- testNoIvEnc(AES_CFB_128);
- testNoIvEnc(AES_CFB_192);
- testNoIvEnc(AES_CFB_256);
- testNoIvEnc(AES_GCM_128);
- testNoIvEnc(AES_GCM_192);
- testNoIvEnc(AES_GCM_256);
+ testNoIvEnc({CKMC_ALGO_AES_CTR, 128});
+ testNoIvEnc({CKMC_ALGO_AES_CTR, 192});
+ testNoIvEnc({CKMC_ALGO_AES_CTR, 256});
+ testNoIvEnc({CKMC_ALGO_AES_CBC, 128});
+ testNoIvEnc({CKMC_ALGO_AES_CBC, 192});
+ testNoIvEnc({CKMC_ALGO_AES_CBC, 256});
+ testNoIvEnc({CKMC_ALGO_AES_CFB, 128});
+ testNoIvEnc({CKMC_ALGO_AES_CFB, 192});
+ testNoIvEnc({CKMC_ALGO_AES_CFB, 256});
+ testNoIvEnc({CKMC_ALGO_AES_GCM, 128});
+ testNoIvEnc({CKMC_ALGO_AES_GCM, 192});
+ testNoIvEnc({CKMC_ALGO_AES_GCM, 256});
}
RUNNER_TEST_MULTIPLE(TED_1010_invalid_iv_enc, SyncEnv, AsyncEnv)
{
- testInvalidIvEnc(AES_CTR_128);
- testInvalidIvEnc(AES_CTR_192);
- testInvalidIvEnc(AES_CTR_256);
- testInvalidIvEnc(AES_CBC_128);
- testInvalidIvEnc(AES_CBC_192);
- testInvalidIvEnc(AES_CBC_256);
- testInvalidIvEnc(AES_CFB_128);
- testInvalidIvEnc(AES_CFB_192);
- testInvalidIvEnc(AES_CFB_256);
+ testInvalidIvEnc({CKMC_ALGO_AES_CTR, 128});
+ testInvalidIvEnc({CKMC_ALGO_AES_CTR, 192});
+ testInvalidIvEnc({CKMC_ALGO_AES_CTR, 256});
+ testInvalidIvEnc({CKMC_ALGO_AES_CBC, 128});
+ testInvalidIvEnc({CKMC_ALGO_AES_CBC, 192});
+ testInvalidIvEnc({CKMC_ALGO_AES_CBC, 256});
+ testInvalidIvEnc({CKMC_ALGO_AES_CFB, 128});
+ testInvalidIvEnc({CKMC_ALGO_AES_CFB, 192});
+ testInvalidIvEnc({CKMC_ALGO_AES_CFB, 256});
}
RUNNER_TEST_MULTIPLE(TED_1015_no_iv_dec, SyncEnv, AsyncEnv)
{
- testNoIvDec(AES_CTR_128);
- testNoIvDec(AES_CTR_192);
- testNoIvDec(AES_CTR_256);
- testNoIvDec(AES_CBC_128);
- testNoIvDec(AES_CBC_192);
- testNoIvDec(AES_CBC_256);
- testNoIvDec(AES_CFB_128);
- testNoIvDec(AES_CFB_192);
- testNoIvDec(AES_CFB_256);
- testNoIvDec(AES_GCM_128);
- testNoIvDec(AES_GCM_192);
- testNoIvDec(AES_GCM_256);
+ testNoIvDec({CKMC_ALGO_AES_CTR, 128});
+ testNoIvDec({CKMC_ALGO_AES_CTR, 192});
+ testNoIvDec({CKMC_ALGO_AES_CTR, 256});
+ testNoIvDec({CKMC_ALGO_AES_CBC, 128});
+ testNoIvDec({CKMC_ALGO_AES_CBC, 192});
+ testNoIvDec({CKMC_ALGO_AES_CBC, 256});
+ testNoIvDec({CKMC_ALGO_AES_CFB, 128});
+ testNoIvDec({CKMC_ALGO_AES_CFB, 192});
+ testNoIvDec({CKMC_ALGO_AES_CFB, 256});
+ testNoIvDec({CKMC_ALGO_AES_GCM, 128});
+ testNoIvDec({CKMC_ALGO_AES_GCM, 192});
+ testNoIvDec({CKMC_ALGO_AES_GCM, 256});
}
RUNNER_TEST_MULTIPLE(TED_1020_invalid_iv_dec, SyncEnv, AsyncEnv)
{
- testInvalidIvDec(AES_CTR_128);
- testInvalidIvDec(AES_CTR_192);
- testInvalidIvDec(AES_CTR_256);
- testInvalidIvDec(AES_CBC_128);
- testInvalidIvDec(AES_CBC_192);
- testInvalidIvDec(AES_CBC_256);
- testInvalidIvDec(AES_CFB_128);
- testInvalidIvDec(AES_CFB_192);
- testInvalidIvDec(AES_CFB_256);
+ testInvalidIvDec({CKMC_ALGO_AES_CTR, 128});
+ testInvalidIvDec({CKMC_ALGO_AES_CTR, 192});
+ testInvalidIvDec({CKMC_ALGO_AES_CTR, 256});
+ testInvalidIvDec({CKMC_ALGO_AES_CBC, 128});
+ testInvalidIvDec({CKMC_ALGO_AES_CBC, 192});
+ testInvalidIvDec({CKMC_ALGO_AES_CBC, 256});
+ testInvalidIvDec({CKMC_ALGO_AES_CFB, 128});
+ testInvalidIvDec({CKMC_ALGO_AES_CFB, 192});
+ testInvalidIvDec({CKMC_ALGO_AES_CFB, 256});
}
RUNNER_TEST_MULTIPLE(TED_1050_data_integrity, SyncEnv, AsyncEnv)
{
- testIntegrity(AES_CTR_128);
- testIntegrity(AES_CTR_192);
- testIntegrity(AES_CTR_256);
- testIntegrity(AES_CBC_128);
- testIntegrity(AES_CBC_192);
- testIntegrity(AES_CBC_256);
- testIntegrity(AES_CFB_128);
- testIntegrity(AES_CFB_192);
- testIntegrity(AES_CFB_256);
+ testIntegrity({CKMC_ALGO_AES_CTR, 128});
+ testIntegrity({CKMC_ALGO_AES_CTR, 192});
+ testIntegrity({CKMC_ALGO_AES_CTR, 256});
+ testIntegrity({CKMC_ALGO_AES_CBC, 128});
+ testIntegrity({CKMC_ALGO_AES_CBC, 192});
+ testIntegrity({CKMC_ALGO_AES_CBC, 256});
+ testIntegrity({CKMC_ALGO_AES_CFB, 128});
+ testIntegrity({CKMC_ALGO_AES_CFB, 192});
+ testIntegrity({CKMC_ALGO_AES_CFB, 256});
}
RUNNER_TEST_MULTIPLE(TED_1100_ctr_encryption_invalid_length, SyncEnv, AsyncEnv)
{
- testCtrEncryptionInvalidLength(AES_CTR_128);
- testCtrEncryptionInvalidLength(AES_CTR_192);
- testCtrEncryptionInvalidLength(AES_CTR_256);
+ testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
+ testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
+ testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
}
RUNNER_TEST_MULTIPLE(TED_1105_ctr_encryption_valid_length, SyncEnv, AsyncEnv)
{
RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
- testCtrEncryptionValidLength(AES_CTR_128);
- testCtrEncryptionValidLength(AES_CTR_192);
- testCtrEncryptionValidLength(AES_CTR_256);
+ testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 128});
+ testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 192});
+ testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 256});
}
RUNNER_TEST_MULTIPLE(TED_1110_ctr_decryption_invalid_length, SyncEnv, AsyncEnv)
{
- testCtrDecryptionInvalidLength(AES_CTR_128);
- testCtrDecryptionInvalidLength(AES_CTR_192);
- testCtrDecryptionInvalidLength(AES_CTR_256);
+ testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
+ testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
+ testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
}
RUNNER_TEST_MULTIPLE(TED_1115_ctr_decryption_valid_length, SyncEnv, AsyncEnv)
{
RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
- testCtrDecryptionValidLength(AES_CTR_128);
- testCtrDecryptionValidLength(AES_CTR_192);
- testCtrDecryptionValidLength(AES_CTR_256);
+ testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 128});
+ testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 192});
+ testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 256});
}
RUNNER_TEST_MULTIPLE(TED_1200_gcm_encryption_tag_len, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testGcmEncryptionTagLen(AES_GCM_128);
- testGcmEncryptionTagLen(AES_GCM_192);
- testGcmEncryptionTagLen(AES_GCM_256);
+ testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 128});
+ testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 192});
+ testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 256});
}
RUNNER_TEST_MULTIPLE(TED_1210_gcm_decryption_tag_len, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testGcmDecryptionTagLen(AES_GCM_128);
- testGcmDecryptionTagLen(AES_GCM_192);
- testGcmDecryptionTagLen(AES_GCM_256);
+ testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 128});
+ testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 192});
+ testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 256});
}
RUNNER_TEST_MULTIPLE(TED_1230_gcm_wrong_tag, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- testGcmWrongTag(AES_GCM_128);
- testGcmWrongTag(AES_GCM_192);
- testGcmWrongTag(AES_GCM_256);
+ testGcmWrongTag({CKMC_ALGO_AES_GCM, 128});
+ testGcmWrongTag({CKMC_ALGO_AES_GCM, 192});
+ testGcmWrongTag({CKMC_ALGO_AES_GCM, 256});
}
RUNNER_TEST_MULTIPLE(TED_1240_gcm_different_iv_sizes, SyncEnv, AsyncEnv)
{
- testGcmDifferentIvSizes(AES_GCM_128);
- testGcmDifferentIvSizes(AES_GCM_192);
- testGcmDifferentIvSizes(AES_GCM_256);
+ testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 128});
+ testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 192});
+ testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 256});
}
RUNNER_TEST_MULTIPLE(TED_1250_gcm_aad, SyncEnv, AsyncEnv)
{
- testBackend b(PolicyBackend::FORCE_SOFTWARE);
- encryptionWithCustomData(AES_GCM_128, CKMC_PARAM_ED_AAD);
- encryptionWithCustomData(AES_GCM_192, CKMC_PARAM_ED_AAD);
- encryptionWithCustomData(AES_GCM_256, CKMC_PARAM_ED_AAD);
+ encryptionWithCustomData({CKMC_ALGO_AES_GCM, 128}, CKMC_PARAM_ED_AAD);
+ encryptionWithCustomData({CKMC_ALGO_AES_GCM, 192}, CKMC_PARAM_ED_AAD);
+ encryptionWithCustomData({CKMC_ALGO_AES_GCM, 256}, CKMC_PARAM_ED_AAD);
}
RUNNER_TEST_MULTIPLE(TED_1300_rsa_label, SyncEnv, AsyncEnv)
{
RUNNER_IGNORED_MSG("RSA-OAEP labels are not supported in openssl");
- encryptionWithCustomData(RSA_OAEP_1024, CKMC_PARAM_ED_LABEL);
- encryptionWithCustomData(RSA_OAEP_2048, CKMC_PARAM_ED_LABEL);
- encryptionWithCustomData(RSA_OAEP_4096, CKMC_PARAM_ED_LABEL);
+ encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 1024}, CKMC_PARAM_ED_LABEL);
+ encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 2048}, CKMC_PARAM_ED_LABEL);
+ encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 4096}, CKMC_PARAM_ED_LABEL);
}
RUNNER_TEST_MULTIPLE(TED_1330_rsa_longest_data, SyncEnv, AsyncEnv)
{
- testRsaLongestData(RSA_OAEP_1024, 86);
- testRsaLongestData(RSA_OAEP_2048, 214);
- testRsaLongestData(RSA_OAEP_4096, 470);
+ testRsaLongestData({CKMC_ALGO_RSA_OAEP, 1024}, 86);
+ testRsaLongestData({CKMC_ALGO_RSA_OAEP, 2048}, 214);
+ testRsaLongestData({CKMC_ALGO_RSA_OAEP, 4096}, 470);
}
RUNNER_TEST_MULTIPLE(TED_1350_rsa_data_too_long, SyncEnv, AsyncEnv)
{
- testRsaDataTooLong(RSA_OAEP_1024, 87);
- testRsaDataTooLong(RSA_OAEP_2048, 215);
- testRsaDataTooLong(RSA_OAEP_4096, 471);
+ testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 1024}, 87);
+ testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 2048}, 215);
+ testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 4096}, 471);
}
/////////////////////////////////////////
// Asynchronous only tests
/////////////////////////////////////////
-RUNNER_TEST(TED_2000_enc_no_observer_async, EncEnv)
+RUNNER_TEST(TED_2000_enc_no_observer_async, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
+ testAllAlgorithms([](const Algo& algo){
// prepare buffers
RawBuffer plain = createRandomBuffer(BUF_LEN);
// keys
- KeyAliasPair aliases = algo->keyGen(nullptr);
+ KeyAliasPair aliases = getKey(algo, PRIMARY);
// params
ckmc_param_list_h handle = NULL;
- assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+ assert_positive(ckmc_generate_new_params, algo.type, &handle);
ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
- setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+ setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
// encrypt
test_no_observer(&ManagerAsync::encrypt,
RUNNER_TEST(TED_2010_dec_no_observer_async, AsyncEnv)
{
- testAllAlgorithms([](const AlgoBasePtr& algo){
- // prepare buffers
- RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
-
+ testAllAlgorithms([](const Algo& algo){
// encrypt
- auto ret = encrypt(algo, plain);
+ auto ret = encrypt(algo, PLAIN_DATA);
RawBuffer encrypted(ret.encrypted->data, ret.encrypted->data + ret.encrypted->size);
// decrypt
"Key value has been changed by service");
}
+RUNNER_TEST(T1020_save_big_data)
+{
+#ifdef TZ_BACKEND
+ const size_t BIG_SIZE = 100000;
+ CKM::PolicyBackend backend = CKM::PolicyBackend::FORCE_HARDWARE;
+#else
+ const size_t BIG_SIZE = 5000000;
+ CKM::PolicyBackend backend = CKM::PolicyBackend::FORCE_SOFTWARE;
+#endif
+
+ int temp;
+ std::vector<char> big_data(BIG_SIZE);
+ std::ifstream is("/dev/urandom", std::ifstream::binary);
+ if(is)
+ is.read(big_data.data(), BIG_SIZE);
+
+ RUNNER_ASSERT_MSG(is,
+ "Only " << is.gcount() << "/" << BIG_SIZE << " bytes read from /dev/urandom");
+
+ CKM::RawBuffer buffer(big_data.begin(), big_data.end());
+ CKM::Policy policy(CKM::Password(), true, backend);
+ CKM::RawBuffer returned;
+
+ auto manager = CKM::Manager::create();
+
+ RUNNER_ASSERT_MSG(
+ CKM_API_SUCCESS == (temp = manager->saveData("big_data", buffer, policy)),
+ "Error=" << CKM::APICodeToString(temp));
+
+ RUNNER_ASSERT_MSG(
+ CKM_API_SUCCESS == (temp = manager->getData("big_data", CKM::Password(), returned)),
+ "Error=" << CKM::APICodeToString(temp));
+
+ RUNNER_ASSERT_MSG(buffer == returned, "Returned data doesn't match the original");
+}
+
RUNNER_TEST(T1015_deinit)
{
remove_user_data(USER_APP);
std::string message = "message test";
- CKM::Alias aliasPub = "ecpub_nohash1";
CKM::Alias aliasPrv = "ecprv_nohash1";
CKM::HashAlgorithm hash = CKM::HashAlgorithm::NONE;
CKM::RSAPaddingAlgorithm padd = CKM::RSAPaddingAlgorithm::PKCS1;
CKM::RawBuffer signature;
RUNNER_ASSERT_MSG(
- CKM_API_SUCCESS == (temp = manager->createSignature(
- aliasPrv,
- CKM::Password(),
- CKM::RawBuffer(message.begin(), message.end()),
- hash,
- padd,
- signature)),
- "Error=" << CKM::APICodeToString(temp));
-
- RUNNER_ASSERT_MSG(
- CKM_API_SUCCESS == (temp = manager->verifySignature(
- aliasPub,
- CKM::Password(),
- CKM::RawBuffer(message.begin(), message.end()),
- signature,
- hash,
- padd)),
- "Error=" << CKM::APICodeToString(temp));
-
- RUNNER_ASSERT_MSG(signature.size() > 6, "Signature is too small");
-
- memcpy((void*)signature.data(), "BROKEN", 6);
-
- RUNNER_ASSERT_MSG(
- CKM_API_ERROR_VERIFICATION_FAILED == (temp = manager->verifySignature(
- aliasPub,
- CKM::Password(),
- CKM::RawBuffer(message.begin(), message.end()),
- signature,
- hash,
- padd)),
- "Error=" << CKM::APICodeToString(temp));
-}
-
-RUNNER_TEST(T14185_ECDSA_create_signatue_nohash_bigmsg)
-{
- int temp;
- auto manager = CKM::Manager::create();
-
- int msgSize = 1024*1024;
- char big_msg[msgSize];
- for(int i =0; i<msgSize-1; i++) {
- big_msg[i] = 'a';
- }
- big_msg[msgSize-1]=0x00;
- std::string message(big_msg);
-
- CKM::Alias aliasPub = "ecpub_nohash1";
- CKM::Alias aliasPrv = "ecprv_nohash1";
- CKM::HashAlgorithm hash = CKM::HashAlgorithm::NONE;
- CKM::RSAPaddingAlgorithm padd = CKM::RSAPaddingAlgorithm::NONE;
- CKM::RawBuffer signature;
-
- RUNNER_ASSERT_MSG(
- CKM_API_SUCCESS == (temp = manager->createSignature(
+ CKM_API_ERROR_INPUT_PARAM == (temp = manager->createSignature(
aliasPrv,
CKM::Password(),
CKM::RawBuffer(message.begin(), message.end()),
"Error=" << CKM::APICodeToString(temp));
}
-
RUNNER_TEST(T14189_deinit)
{
remove_user_data(USER_APP);
int temp;
auto manager = CKM::Manager::create();
- std::string prv = "-----BEGIN RSA PRIVATE KEY-----\n"
- "MIICXQIBAAKBgQD1W9neUbXL1rnq9SvyzprjhWBKXyYKQirG3V2zyUnUaE24Sq2I\n"
- "v7ISrwMN/G6WcjrGmeZDEWwrL4zXh002N8BD1waJPRonxwtVkhFy3emGatSmx7eI\n"
- "ely5H+PBNImRvBh2u4GWga6OEXcUNdfaBUcxn+P6548/zpDhyNLzQKk5FwIDAQAB\n"
- "AoGAR+4WkBuqTUj1FlGsAbHaLKt0UDlWwJknS0eoacWwFEpDxqx19WolfV67aYVA\n"
- "snBolMKXg7/+0yZMhv8Ofr+XaHkPQplVVn9BwT0rmtEovJXwx+poRP9Bm3emglj/\n"
- "iYd8EkaXDlIXCtewtQW9JEIctWppntHj3TvA/h7FCXPN6SkCQQD/N7sn5S1gBkVh\n"
- "dyXQKoyKsZDb7hMIS1q6cKwYCMf2UrsD1/lnr7xXkvORdL213MfueO8g0WkuKfRY\n"
- "bDD6WGX1AkEA9hxiOlsgvermqLJkOlJffbSaM8n/6wtnM0HV+Vd9NfSBOmxFDXPO\n"
- "vrvdgiDPENhbqTJSQVDsfzHilTpK7lEvWwJBAJLxHoOg0tg3pBiyxgWtic+M3q+R\n"
- "ykl7QViY6KzJ2X98MIrM/Z7yMollZXE4+sVLwZ0O6fdGOr3GkBWc7TImVUUCQQC7\n"
- "pf6bQfof9Ce0fnf/I+ldHkPost7nJsWkBlGQkM2OQwP5OK4ZyK/dK76DxmI7FMwm\n"
- "oJCo7nuzq6R4ZX7WYJ47AkBavxBDo/e9/0Vk5yrloGKW3f8RQXBJLcCkVUGyyJ3D\n"
- "3gu/nafW4hzjSJniTjC1fOj0eb0OSg1JAvqHTYAnUsI7\n"
- "-----END RSA PRIVATE KEY-----";
+ std::string prv =
+ "-----BEGIN RSA PRIVATE KEY-----\n"
+ "MIICWwIBAAKBgQDDgmPurTQa3wbnlM+9nCEQvhDviYRvSC9TL5lAMBCmBSl93v0U\n"
+ "BXWsqO+fmAINm5QJa89hF5N7Q4xtvfSJUPIeyzowTOEGM4U3FnJtlsNQsoNbFlNy\n"
+ "QLoZZmmY4ljG6/YqX+JGBgS9/J8uvaDWkvs+ktkORygfNz4Gi5DERT7eeQIDAQAB\n"
+ "AoGAARIqx/js6yTDnesjxC8hwzy3TQic0Bs+Hx+IoGBjBvXKR2U8T6rD/UEjpuUn\n"
+ "RbnPcsnDZg3CAg/ZqhQ7TbFC0kPo+S6+wKsZGDWUUvnpMkdcZUqXel8GFhdnmeIh\n"
+ "22vYthP4TCbolxwXlwvuhu0PLZWhRO/Z+g37T3QENexqGv0CQQDmqJ9PDoUj5eUR\n"
+ "wWEqEPraoU6ARBUUX5EhmTT9g9/BXnhwumIOksDHcBqNUwNOlKCUlWfBOelO93Ys\n"
+ "PRW3QyejAkEA2P0tW/8iU4j+0a6DV+TUYFDTjD29y8KPw0Aj59591xD5eIPK3IgU\n"
+ "91vnmtvU/QR26PnMOx4OAPk9a7BtN62zMwJAIFV0950edtjMUr/cAgydTbadDYf9\n"
+ "uHxpGN+kOQGahT3b/llyU36o/YwufK8tYH+fPxTulXyrwwEXlL3/ZFBKpwJAeLGS\n"
+ "Wlp2WGqZ+j2MdwYkDxLGKHprKHwnBN6XWjCKZGbfrGX6H2Jd7xyinaNrO/UQwxO2\n"
+ "wqc7+NSpkk3G4jJuuwJAODYlk2Q+djE4jkjDc4xiqsQGBQlI2dlgzjRjIF4HWiLx\n"
+ "bIrI0uCCbGItx++hlvmDx7G8anBmIFfBWIaKdX0aWw==\n"
+ "-----END RSA PRIVATE KEY-----\n";
+
std::string message = "message test";
auto keyPrv = CKM::Key::create(CKM::RawBuffer(prv.begin(), prv.end()), CKM::Password());
// this certificate has been signed using PKCS chain
std::string im =
"-----BEGIN CERTIFICATE-----\n"
- "MIIBozCCAQwCAQEwDQYJKoZIhvcNAQEFBQAwHDEaMBgGA1UEAwwRc2VydmVyQHRl\n"
- "c3RtZS5jb20wHhcNMTUxMjA5MTA0NjU0WhcNMjUxMjA2MTA0NjU0WjAYMRYwFAYD\n"
- "VQQDDA1lZUB0ZXN0bWUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP\n"
- "+fNsZB1Vlmhnk0IwYDs7Pw9E38KQfTt/egqqRFN6IvIt0CCDBXqnPTujuvlO2OyL\n"
- "XVuALnIBmTDm5Oz+oz+qiY6/XrVS/CoACNZyMo6ihG9OeocvDbU3jXEaPGL6ib/x\n"
- "jlms0aA9d5L9TO2lEzEP7bFKgHCB8FWINcxSP5zl1QIDAQABMA0GCSqGSIb3DQEB\n"
- "BQUAA4GBAKBpVJMkdK6/qnAz7d7Bul/BhhSLEYbNPdxRiUj3U2dt0GJgswMu2SNT\n"
- "/3NXB8V8mnnXR6cWn5bmjyA7ZpQEKAatS/KEQ9wfLXyCgYDRebX71mVKAI3XcyxB\n"
- "p2qsOWWaJhuHmC1GVjx3foL+RDrmRo6BiucNHMIuvrd1W36eKdhj\n"
+ "MIICxDCCAi0CFGHuCEUksqn0Rr3SXdhn+TlnL804MA0GCSqGSIb3DQEBCwUAMGEx\n"
+ "CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl\n"
+ "cm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMMEXNlcnZlckB0ZXN0bWUuY29t\n"
+ "MB4XDTE5MDYxMzEyMTkyNloXDTI5MDYxMDEyMTkyNlowXTELMAkGA1UEBhMCQVUx\n"
+ "EzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg\n"
+ "UHR5IEx0ZDEWMBQGA1UEAwwNZWVAdGVzdG1lLmNvbTCCASIwDQYJKoZIhvcNAQEB\n"
+ "BQADggEPADCCAQoCggEBAK3/XvE3uc2EhzwmsAfq6KEw52J8kCAB9Rma/qjkw6ZT\n"
+ "yUYmSQvmcK8wSDt015Y/ekYLereCeWNLNkFlQeZC7LHT6T1mGnxNIgL3oUS2c+15\n"
+ "FEYX9QJIN/CoJYQ/tmiQPa1OJz4prUFwqAzM1kRtHGfcAGmQHfgu77P3ljAJzfsW\n"
+ "2beVHM+MTNSybkGHql28Z93bp382k5FQXegkxbozsKBMk37QjKiqes29J/ET0Huy\n"
+ "yzOkf+XvbizIPRvMt/2guw9sgRb7YrM2M+igmHIHxfzxuqzpPr+bmcqQdyFdVkAK\n"
+ "Qcx930HbfjHJ5k5vcovPLQ3LvSnYVCTe7aCAAmMzKXsCAwEAATANBgkqhkiG9w0B\n"
+ "AQsFAAOBgQBfFMim/9zLd+EeZyeYA0vy3C9YuNJI+KsZlKAfrFDQNeIT/qg/GQM4\n"
+ "o7I3TIHQ62tdEx6nBJs0DKSAmhRh4yc+P1KHMzIQIgSjftqS3Z+AKbJn6vOpWNTq\n"
+ "cexnpexaNn69dbqJZsjr0fHsGAkh5n96icAB4VZyFncEknZKbTdd0g==\n"
"-----END CERTIFICATE-----\n";
auto cert = CKM::Certificate::create(CKM::RawBuffer(im.begin(), im.end()), CKM::DataFormat::FORM_PEM);
--- /dev/null
+/*
+ * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file sign-verify.cpp
+ * @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+ * @version 1.0
+ */
+
+#include <string>
+#include <vector>
+#include <unordered_map>
+
+#include <dpl/test/test_runner.h>
+#include <ckm-common.h>
+#include <ckmc/ckmc-manager.h>
+#include <ckmc/ckmc-control.h>
+#include <ckm/ckm-type.h>
+#include <ckm/ckm-manager.h>
+
+using namespace CKM;
+
+namespace {
+
+const char* PASSWORD = "test-password";
+const uid_t UID = 5001;
+
+struct KeyAliasPair
+{
+ Alias prv;
+ Alias pub;
+};
+
+enum Algo {
+ RSA,
+ DSA,
+ ECDSA
+};
+
+// algo names
+const std::unordered_map<Algo, std::string> ALGO2STR = {
+ { RSA, "RSA" },
+ { DSA, "DSA" },
+ { ECDSA, "ECDSA" },
+};
+
+// keys
+std::unordered_map<Algo, std::unordered_map<size_t, std::vector<KeyAliasPair>>> KEYS;
+
+enum KeyIdx {
+ PRIMARY = 0,
+ PASSWORD_PROTECTED = 1,
+
+ KEY_IDX_MAX
+};
+
+// hash algo names
+const std::unordered_map<ckmc_hash_algo_e, std::string> HASH2STR = {
+#ifndef TZ_BACKEND
+ // no hash is not supported in TZ
+ { CKMC_HASH_NONE, "NONE" },
+#endif
+ { CKMC_HASH_SHA1, "SHA1" },
+ { CKMC_HASH_SHA256, "SHA256" },
+ { CKMC_HASH_SHA384, "SHA384" },
+ { CKMC_HASH_SHA512, "SHA512" },
+};
+
+// padding names
+const std::unordered_map<ckmc_rsa_padding_algo_e, std::string> PAD2STR = {
+#ifndef TZ_BACKEND
+ // no padding is not supported in TZ
+ { CKMC_NONE_PADDING, "NONE" },
+#endif
+ { CKMC_PKCS1_PADDING, "PKCS1" },
+#ifndef TZ_BACKEND
+ // X9.31 is not supported in TZ
+ { CKMC_X931_PADDING, "X931" },
+#endif
+};
+
+const int EC_PRIME192V1 = static_cast<int>(ElipticCurve::prime192v1);
+const int EC_PRIME256V1 = static_cast<int>(ElipticCurve::prime256v1);
+const int EC_SECP384R1 = static_cast<int>(ElipticCurve::secp384r1);
+
+// test messages
+RawBufferPtr MESSAGE_SHORT;
+std::unordered_map<size_t, RawBufferPtr> MESSAGES;
+RawBufferPtr MESSAGE_LONG;
+
+class SignVerifyGroupFixture: public DPL::Test::TestGroup
+{
+public:
+ void Init() override
+ {
+ remove_user_data(UID);
+ int ret = ckmc_unlock_user_key(UID, "db-pass");
+ if (ret != CKMC_ERROR_NONE)
+ RUNNER_ERROR_MSG("DB unlock failed: " << CKMCErrorToString(ret));
+
+ // Policy backend to use in subsequent operations (global for each test case)
+#ifdef TZ_BACKEND
+ m_backend = PolicyBackend::FORCE_HARDWARE;
+#else
+ m_backend = PolicyBackend::FORCE_SOFTWARE;
+#endif
+
+ // generate keys
+ m_manager = Manager::create();
+ generateKeys(RSA, 1024);
+ generateKeys(RSA, 2048);
+ generateKeys(RSA, 4096);
+ generateKeys(DSA, 1024);
+#ifndef TZ_BACKEND
+ /*
+ * For DSA with SHA1 only 1024-bit keys are supported and TZ does not currently support
+ * anything else than SHA1 for DSA.
+ */
+ generateKeys(DSA, 2048);
+ generateKeys(DSA, 3072);
+ generateKeys(DSA, 4096);
+#endif
+#ifndef TZ_BACKEND
+ // ECDSA is not yet supported on TZ
+ generateKeys(ECDSA, EC_PRIME192V1);
+ generateKeys(ECDSA, EC_PRIME256V1);
+ generateKeys(ECDSA, EC_SECP384R1);
+#endif
+
+ MESSAGE_SHORT = create_raw_buffer(createRandomBufferCAPI(512/8));
+
+ // Set first byte to 0 to avoid "data too large for modulus" error in unpadded RSA
+ MESSAGES[1024] = create_raw_buffer(createRandomBufferCAPI(1024/8));
+ MESSAGES[1024]->data[0] = 0;
+ MESSAGES[2048] = create_raw_buffer(createRandomBufferCAPI(2048/8));
+ MESSAGES[2048]->data[0] = 0;
+ MESSAGES[3072] = create_raw_buffer(createRandomBufferCAPI(3072/8));
+ MESSAGES[3072]->data[0] = 0;
+ MESSAGES[4096]= create_raw_buffer(createRandomBufferCAPI(4096/8));
+ MESSAGES[4096]->data[0] = 0;
+
+ MESSAGE_LONG = create_raw_buffer(createRandomBufferCAPI(1000));
+ }
+
+ void generateKeys(Algo type, size_t bitLen)
+ {
+ for (int i = 0; i < KEY_IDX_MAX; i++)
+ {
+ Policy prvPolicy(Password(), false, m_backend);
+ Policy pubPolicy(Password(), true, m_backend);
+ if (i == PASSWORD_PROTECTED) {
+ prvPolicy.password.assign(PASSWORD);
+ pubPolicy.password.assign(PASSWORD);
+ }
+
+ KeyAliasPair alias;
+ alias.prv = ALGO2STR.at(type) + std::string("_") + std::to_string(bitLen) +
+ std::string("_") + std::to_string(i);
+ alias.pub = std::string("pub") + alias.prv;
+ int ret;
+ switch (type)
+ {
+ case RSA:
+ ret = m_manager->createKeyPairRSA(bitLen,
+ alias.prv, alias.pub,
+ prvPolicy, pubPolicy);
+ break;
+ case DSA:
+ ret = m_manager->createKeyPairDSA(bitLen,
+ alias.prv, alias.pub,
+ prvPolicy, pubPolicy);
+ break;
+ case ECDSA:
+ ret = m_manager->createKeyPairECDSA(static_cast<ElipticCurve>(bitLen),
+ alias.prv, alias.pub,
+ prvPolicy, pubPolicy);
+ break;
+ default:
+ ret = CKM_API_ERROR_UNKNOWN;
+ }
+ if (ret != CKM_API_SUCCESS)
+ RUNNER_ERROR_MSG("key creation failed. Type: " << ALGO2STR.at(type) <<
+ " bits: " << bitLen << " error: " << APICodeToString(ret));
+
+ KEYS[type][bitLen].push_back(alias);
+ }
+ }
+
+ void Finish() override
+ {
+ for (const auto &type : KEYS) {
+ for (const auto &entry : type.second) {
+ for (const auto &keyPair : entry.second) {
+ m_manager->removeAlias(keyPair.prv);
+ m_manager->removeAlias(keyPair.pub);
+ }
+ }
+ }
+
+ MESSAGE_SHORT.reset();
+
+ int ret = ckmc_lock_user_key(UID);
+ if (ret != CKMC_ERROR_NONE)
+ RUNNER_ERROR_MSG("DB lock failed: " << CKMCErrorToString(ret));
+ remove_user_data(UID);
+ }
+private:
+ ManagerShPtr m_manager;
+ PolicyBackend m_backend;
+};
+
+std::string params2str(const Alias& alias,
+ const ckmc_hash_algo_e hash,
+ const ckmc_rsa_padding_algo_e padding,
+ const RawBufferPtr& message)
+{
+ std::stringstream ss;
+ ss << " Alias: " << alias << ", hash algo: " << HASH2STR.at(hash) <<
+ ", padding: " << PAD2STR.at(padding) << ", message len: " << message->size << "B.";
+ return ss.str();
+}
+
+void signExpect(int expected,
+ const Alias& alias,
+ const char* pw,
+ const RawBufferPtr& message,
+ const ckmc_hash_algo_e hash,
+ const ckmc_rsa_padding_algo_e padding,
+ RawBufferPtr& signature)
+{
+ ckmc_raw_buffer_s* cSignature = nullptr;
+
+ int ret = ckmc_create_signature(alias.c_str(), pw, *message, hash, padding, &cSignature);
+ RUNNER_ASSERT_MSG(ret == expected, "Unexpected result during signature creation." <<
+ params2str(alias, hash, padding, message) <<
+ " Expected: " << CKMCErrorToString(expected) <<
+ " got: " << CKMCErrorToString(ret));
+ if (ret == CKMC_ERROR_NONE) {
+ RUNNER_ASSERT_MSG(cSignature != nullptr && cSignature->size > 0,
+ "Empty signature returned." <<
+ params2str(alias, hash, padding, message));
+ signature = create_raw_buffer(cSignature);
+ } else {
+ RUNNER_ASSERT_MSG(cSignature == nullptr,
+ "Non-empty signature returned." <<
+ params2str(alias, hash, padding, message));
+ }
+}
+
+void signInvalid(const Alias& alias,
+ const char* pw,
+ const RawBufferPtr& message,
+ const ckmc_hash_algo_e hash,
+ const ckmc_rsa_padding_algo_e padding)
+{
+ RawBufferPtr signature;
+ signExpect(CKMC_ERROR_INVALID_PARAMETER, alias, pw, message, hash, padding, signature);
+}
+
+void verifyExpect(int expected,
+ const Alias& alias,
+ const char* pw,
+ const RawBufferPtr& message,
+ const ckmc_hash_algo_e hash,
+ const ckmc_rsa_padding_algo_e padding,
+ const RawBufferPtr& signature)
+{
+ int ret = ckmc_verify_signature(alias.c_str(), pw, *message, *signature, hash, padding);
+ RUNNER_ASSERT_MSG(ret == expected, "Unexpected result during signature verification." <<
+ params2str(alias, hash, padding, message) <<
+ " Expected: " << CKMCErrorToString(expected) <<
+ " got: " << CKMCErrorToString(ret));
+}
+
+void signVerify(const KeyAliasPair& aliasPair,
+ const char* pw,
+ const RawBufferPtr& message,
+ const ckmc_hash_algo_e hash,
+ const ckmc_rsa_padding_algo_e padding)
+{
+ RawBufferPtr signature;
+ signExpect(CKMC_ERROR_NONE, aliasPair.prv, pw, message, hash, padding, signature);
+
+ RUNNER_ASSERT_MSG(signature->size > 0, "Empty signature returned");
+
+ verifyExpect(CKMC_ERROR_NONE, aliasPair.pub, pw, message, hash, padding, signature);
+
+ // modify 1 bit of the signature
+ signature->data[0] ^= 0x01;
+
+ // expect verification failure
+ verifyExpect(CKMC_ERROR_VERIFICATION_FAILED,
+ aliasPair.pub,
+ pw,
+ message,
+ hash,
+ padding,
+ signature);
+}
+// test given key pair against all hash and padding algos
+void testSignVerify(Algo algo, size_t keyBits, int idx)
+{
+#ifdef TZ_BACKEND
+ if (algo == DSA && keyBits > 1024)
+ RUNNER_IGNORED_MSG("For DSA with SHA1 only 1024-bit keys are supported and TZ does not"\
+ " currently support anything else than SHA1 for DSA.");
+ if (algo == ECDSA)
+ RUNNER_IGNORED_MSG("ECDSA is not yet supported in TZ");
+#endif
+
+ std::string pw;
+ if (idx == PASSWORD_PROTECTED)
+ pw = PASSWORD;
+
+ const KeyAliasPair& keys = KEYS[algo][keyBits][idx];
+
+ // iterate over hash algorithms
+ for (const auto& hash : HASH2STR) {
+#ifdef TZ_BACKEND
+ // in case of DSA only SHA1 is supported on TZ
+ if (algo == DSA && hash.first != CKMC_HASH_SHA1)
+ continue;
+#endif
+
+ // iterate over padding algorithms
+ for (const auto& pad : PAD2STR) {
+ auto expectSuccess = [&](const RawBufferPtr& msg) {
+ signVerify(keys, pw.c_str(), msg, hash.first, pad.first);
+ };
+ auto expectInvalid = [&](const RawBufferPtr& msg) {
+ signInvalid(keys.prv, pw.c_str(), msg, hash.first, pad.first);
+ };
+
+ // padding is for RSA only, other algos should ignore it
+ if (algo == RSA && pad.first == CKMC_NONE_PADDING) {
+ if (hash.first == CKMC_HASH_NONE) {
+ // no hash + no padding + key matching message
+ expectSuccess(MESSAGES.at(keyBits));
+ }
+ // no padding + short message
+ expectInvalid(MESSAGE_SHORT);
+
+ // no padding + long message
+ expectInvalid(MESSAGE_LONG);
+
+ } else {
+ if (hash.first == CKMC_HASH_NONE) {
+ // no hash + padding + long message
+ expectInvalid(MESSAGE_LONG);
+
+ // no hash + padding + short message
+ if (algo == RSA)
+ expectSuccess(MESSAGE_SHORT);
+ else
+ expectInvalid(MESSAGE_SHORT); // no support for CKMC_HASH_NONE
+ } else {
+ // hash + padding + short message
+ expectSuccess(MESSAGE_SHORT);
+
+ // hash + padding + long message
+ expectSuccess(MESSAGE_LONG);
+ }
+ }
+ }
+ }
+}
+
+} // namespace anonymous
+
+RUNNER_TEST_GROUP_INIT_ENV(CKM_SIGN_VERIFY, SignVerifyGroupFixture);
+
+
+// RSA
+RUNNER_TEST(TSV_0110_sign_verify_rsa_1024)
+{
+ testSignVerify(RSA, 1024, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0120_sign_verify_rsa_1024_pw)
+{
+ testSignVerify(RSA, 1024, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0130_sign_verify_rsa_2048)
+{
+ testSignVerify(RSA, 2048, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0140_sign_verify_rsa_2048_pw)
+{
+ testSignVerify(RSA, 2048, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0150_sign_verify_rsa_4096)
+{
+ testSignVerify(RSA, 4096, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0160_sign_verify_rsa_4096_pw)
+{
+ testSignVerify(RSA, 4096, PASSWORD_PROTECTED);
+}
+
+
+// DSA
+RUNNER_TEST(TSV_0210_sign_verify_dsa_1024)
+{
+ testSignVerify(DSA, 1024, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0220_sign_verify_dsa_1024_pw)
+{
+ testSignVerify(DSA, 1024, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0230_sign_verify_dsa_2048)
+{
+ testSignVerify(DSA, 2048, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0240_sign_verify_dsa_2048_pw)
+{
+ testSignVerify(DSA, 2048, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0250_sign_verify_dsa_3072)
+{
+ testSignVerify(DSA, 3072, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0260_sign_verify_dsa_3072_pw)
+{
+ testSignVerify(DSA, 3072, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0270_sign_verify_dsa_4096)
+{
+ testSignVerify(DSA, 4096, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0280_sign_verify_dsa_4096_pw)
+{
+ testSignVerify(DSA, 4096, PASSWORD_PROTECTED);
+}
+
+
+// ECDSA
+RUNNER_TEST(TSV_0310_sign_verify_ecdsa_PRIME192V1)
+{
+ testSignVerify(ECDSA, EC_PRIME192V1, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0320_sign_verify_ecdsa_PRIME192V1_pw)
+{
+ testSignVerify(ECDSA, EC_PRIME192V1, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0330_sign_verify_ecdsa_PRIME256V1)
+{
+ testSignVerify(ECDSA, EC_PRIME256V1, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0340_sign_verify_ecdsa_PRIME256V1_pw)
+{
+ testSignVerify(ECDSA, EC_PRIME256V1, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0350_sign_verify_ecdsa_SECP384R1)
+{
+ testSignVerify(ECDSA, EC_SECP384R1, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0360_sign_verify_ecdsa_SECP384R1_pw)
+{
+ testSignVerify(ECDSA, EC_SECP384R1, PASSWORD_PROTECTED);
+}
+
+// TODO: border cases for padding
+// TODO: invalid arguments
+// TODO: Big data
break;
last = onlycap.find_first_of(SEPARATORS, first + 1);
- onlycapSet.insert(onlycap.substr(first, last - first));
+ if (last == std::string::npos)
+ onlycapSet.insert(onlycap.substr(first));
+ else
+ onlycapSet.insert(onlycap.substr(first, last - first));
}
return onlycapSet;
}
newOnlycap.insert(m_label);
smackSetOnlycap(newOnlycap);
} else {
- m_originalLabel.clear();
m_originalOnlycap.clear();
}
}
if (!m_originalLabel.empty()) {
try {
smackSetLabelForSelf(m_originalLabel);
- smackSetOnlycap(m_originalOnlycap);
+ if (!m_originalOnlycap.empty())
+ smackSetOnlycap(m_originalOnlycap);
} catch (const DPL::Test::TestException& e) {
RUNNER_ERROR_MSG("Test exception occurred: " << e.GetMessage());
} catch (const std::exception& e) {
projects / platform / core / test / security-tests.git / commitdiff