Merge branch 'nether' into tizen

author Dariusz Michaluk <d.michaluk@samsung.com>

Wed, 22 Jan 2020 12:24:42 +0000 (13:24 +0100)

committer Dariusz Michaluk <d.michaluk@samsung.com>

Wed, 22 Jan 2020 12:24:42 +0000 (13:24 +0100)
author Dariusz Michaluk <d.michaluk@samsung.com>
Wed, 22 Jan 2020 12:24:42 +0000 (13:24 +0100)
committer Dariusz Michaluk <d.michaluk@samsung.com>
Wed, 22 Jan 2020 12:24:42 +0000 (13:24 +0100)
diff --git a/CMakeLists.txt b/CMakeLists.txt

index ea0f922..cad0353 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2012-2017 Samsung Electronics Co., Ltd All Rights Reserved
+# Copyright (c) 2012-2020 Samsung Electronics Co., Ltd. All rights reserved
  #
  #    Licensed under the Apache License, Version 2.0 (the "License");
  #    you may not use this file except in compliance with the License.
@@ -35,7 +35,7 @@ INCLUDE(FindPkgConfig)
  ############################# compiler flags ##################################
  
  SET(CMAKE_C_FLAGS              "-g")
-SET(CMAKE_CXX_FLAGS            "-g -std=c++0x")
+SET(CMAKE_CXX_FLAGS            "-g -std=c++14")
  SET(CMAKE_C_FLAGS_PROFILING    "-O0 -pg")
  SET(CMAKE_CXX_FLAGS_PROFILING  "-O0 -pg")
  SET(CMAKE_C_FLAGS_DEBUG        "-O0 -ggdb")
@@ -85,6 +85,7 @@ ADD_DEFINITIONS("-Wextra")                      # Generate even more extra warni
  ADD_DEFINITIONS("-Wno-variadic-macros")         # Inhibit variadic macros warnings (needed for ORM)
  ADD_DEFINITIONS("-Wno-deprecated")               # No warnings about deprecated features
  ADD_DEFINITIONS("-Wno-deprecated-declarations")               # No warnings about deprecated features
+ADD_DEFINITIONS("-Wno-implicit-fallthrough")    # No warnings about switc() statements, often done on purpose
  ADD_DEFINITIONS("-DCYNARA_DB_DIR=\"${CYNARA_DB_DIR}\"")
  ADD_DEFINITIONS("-DAPP_USER=\"${APP_USER}\"")
  
diff --git a/packaging/security-tests.manifest b/packaging/security-tests.manifest

index 790c851..ea004f1 100644 (file)
--- a/packaging/security-tests.manifest
+++ b/packaging/security-tests.manifest
@@ -8,6 +8,8 @@
          <filesystem path="/usr/bin/ckm-tests" exec_label="User" />
          <filesystem path="/usr/bin/ckm-privileged-tests" exec_label="System::Privileged" />
          <filesystem path="/usr/bin/nether-tests" exec_label="System::Privileged" />
+        <filesystem path="/usr/bin/libteec-tests" exec_label="System::Privileged" />
+        <filesystem path="/usr/bin/yaca-test" exec_label="System::Privileged" />
      </assign>
      <request>
          <domain name="_" />
diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec

index 4145d08..1ae363e 100644 (file)
--- a/packaging/security-tests.spec
+++ b/packaging/security-tests.spec
@@ -13,6 +13,8 @@ BuildRequires: pkgconfig(libcap)
  BuildRequires: pkgconfig(libsmack)
  BuildRequires: pkgconfig(security-manager)
  BuildRequires: pkgconfig(key-manager)
+BuildRequires: key-manager-initial-values
+BuildRequires: util-linux
  BuildRequires: pkgconfig(yaca)
  BuildRequires: pkgconfig(dlog)
  BuildRequires: pkgconfig(glib-2.0)
@@ -21,15 +23,18 @@ BuildRequires: pkgconfig(libpcrecpp)
  BuildRequires: pkgconfig(libxml-2.0)
  BuildRequires: pkgconfig(sqlite3)
  BuildRequires: pkgconfig(libwebappenc)
-BuildRequires: pkgconfig(openssl)
+BuildRequires: pkgconfig(openssl1.1)
  BuildRequires: cynara-devel
  BuildRequires: libcynara-creds-dbus-devel
  BuildRequires: libcynara-creds-gdbus-devel
+BuildRequires: libcynara-creds-sd-bus-devel
  BuildRequires: pkgconfig(libtzplatform-config)
  BuildRequires: boost-devel
  BuildRequires: pkgconfig(vconf)
  BuildRequires: pkgconfig(libgum) >= 1.0.5
  BuildRequires: pkgconfig(security-privilege-manager)
+BuildRequires: pkgconfig(libsystemd)
+BuildRequires: openssl1.1
  Requires: perf
  Requires: gdb
  Requires: diffutils
@@ -38,18 +43,21 @@ Requires: toybox-symlinks-ping
  
  %global ckm_test_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE/ckm-test/}%{!?TZ_SYS_SHARE:/usr/share/ckm-test/}
  %global ckm_rw_data_dir %{?TZ_SYS_DATA:%TZ_SYS_DATA/ckm/}%{!?TZ_SYS_DATA:/opt/data/ckm/}
+%global tz_backend_enabled %{?tz_backend:%tz_backend}%{!?tz_backend:OFF}
  
  %description
  Security tests repository - for tests that can't be kept together with code.
  
  %prep
  %setup -q
-cp %{SOURCE1} .
  
  %build
  export LDFLAGS+="-Wl,--rpath=%{_prefix}/lib"
  
  cmake . -DCMAKE_INSTALL_PREFIX=%{_prefix} \
+%if %{tz_backend_enabled} == ON
+        -DTZ_BACKEND="ON"                 \
+%endif
          -DDPL_LOG="ON"                    \
          -DDPL_WITH_DLOG="ON"              \
          -DVERSION=%{version}              \
@@ -73,6 +81,7 @@ id -u  security_test_user 1>/dev/null 2>&1 || \
  %install
  %make_install
  ln -sf /etc/smack/test_smack_rules %{buildroot}/etc/smack/test_smack_rules_lnk
+cp -a %{SOURCE1} %{buildroot}%{_datadir}/
  
  %post
  # Reload dbus daemon to apply newly installed configuration
@@ -81,7 +90,7 @@ systemctl reload dbus
  echo "security-tests postinst done ..."
  
  %files
-%manifest %{name}.manifest
+%manifest %{_datadir}/%{name}.manifest
  %defattr(-, root, root, -)
  /usr/bin/security-tests.sh
  /usr/bin/security-tests-all.sh
@@ -105,9 +114,8 @@ echo "security-tests postinst done ..."
  %attr(755, security_test_user,users) %{TZ_SYS_HOME}/security_test_user/apps_rw/*
  /usr/bin/cynara-test
  /usr/bin/ckm-tests
-/usr/bin/ckm-privileged-tests
-/usr/bin/ckm-tests-on-onlycap.sh
-/usr/bin/ckm-integration-tests
+%caps(cap_mac_admin=ep) /usr/bin/ckm-privileged-tests
+%caps(cap_mac_admin=ep) /usr/bin/ckm-integration-tests
  /usr/bin/yaca-test
  /usr/bin/nether-tests
  %{ckm_test_dir}/*
diff --git a/src/ckm-integration/ckm-policy.cpp b/src/ckm-integration/ckm-policy.cpp

index 9f33c3e..381a597 100644 (file)
--- a/src/ckm-integration/ckm-policy.cpp
+++ b/src/ckm-integration/ckm-policy.cpp
@@ -32,7 +32,7 @@ CKMPolicy::CKMPolicy(
    , m_privileges(std::move(priv))
  {
      std::stringstream ss;
-    ss << "User::App::" << m_pkgId;
+    ss << "User::Pkg::" << m_pkgId;
      m_smackLabel = ss.str();
  }
  
diff --git a/src/ckm-integration/group01.cpp b/src/ckm-integration/group01.cpp

index 563a68b..90b8798 100644 (file)
--- a/src/ckm-integration/group01.cpp
+++ b/src/ckm-integration/group01.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -61,32 +61,32 @@ RUNNER_CHILD_TEST(G01T01_ControlNegative) {
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = control->removeUserData(ps.GetUid())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = control->resetUserPassword(ps.GetUid(),
          "simple-password")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = control->resetUserPassword(ps.GetUid(), "something")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = control->unlockUserKey(ps.GetUid(), "test-pass")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = control->lockUserKey(ps.GetUid())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = control->resetUserPassword(ps.GetUid(), "something")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = control->removeUserData(ps.GetUid())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_CHILD_TEST(G01T02_ControlPositive) {
@@ -99,32 +99,32 @@ RUNNER_CHILD_TEST(G01T02_ControlPositive) {
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->removeUserData(USER_UID)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->resetUserPassword(USER_UID,
          "simple-password")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->resetUserPassword(USER_UID, "something")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->unlockUserKey(USER_UID, "test-pass")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->lockUserKey(USER_UID)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_BAD_REQUEST == (temp = control->resetUserPassword(USER_UID, "something")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->removeUserData(USER_UID)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_CHILD_TEST(G01T03_ProcessIdentificationBySecurityManager) {
diff --git a/src/ckm-integration/group02.cpp b/src/ckm-integration/group02.cpp

index 5fb68cf..23bbf4a 100644 (file)
--- a/src/ckm-integration/group02.cpp
+++ b/src/ckm-integration/group02.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -70,11 +70,11 @@ RUNNER_CHILD_TEST(G02T01_StorageNegative) {
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = manager->saveData(alias, rawBuffer, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = manager->getData(alias, CKM::Password(), output)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_CHILD_TEST(G02T02_StoragePositive) {
@@ -92,11 +92,11 @@ RUNNER_CHILD_TEST(G02T02_StoragePositive) {
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveData(alias, rawBuffer, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getData(alias, CKM::Password(), output)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(rawBuffer == output, "Data mismatch.");
  }
@@ -116,11 +116,11 @@ RUNNER_CHILD_TEST(G02T03_StoragePositive) {
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveData(dataAlias, rawBuffer, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getData(dataAlias, CKM::Password(), output)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(rawBuffer == output, "Data mismatch.");
  }
@@ -146,11 +146,11 @@ RUNNER_CHILD_TEST(G02T04_StorageNegative) {
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = manager->saveData(alias, rawBuffer, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = manager->getData(alias, CKM::Password(), output)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_CHILD_TEST(G02T05_StorageNegative) {
@@ -169,10 +169,10 @@ RUNNER_CHILD_TEST(G02T05_StorageNegative) {
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = manager->saveData(alias, rawBuffer, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = manager->getData(alias, CKM::Password(), output)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
diff --git a/src/ckm-integration/process-settings/change-smack.cpp b/src/ckm-integration/process-settings/change-smack.cpp

index f56c506..f83aec4 100644 (file)
--- a/src/ckm-integration/process-settings/change-smack.cpp
+++ b/src/ckm-integration/process-settings/change-smack.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
  /*
   * @file       change-smack.cpp
   * @author     Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @author     Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
   * @version    1.0
   */
  #include <sys/smack.h>
@@ -23,6 +24,7 @@
  #include <tests_common.h>
  
  #include <process-settings/change-smack.h>
+#include <scoped_process_label.h>
  
  namespace ProcessSettings {
  
@@ -31,22 +33,11 @@ ChangeSmack::ChangeSmack(const Policy &policy)
  {}
  
  void ChangeSmack::Apply() {
-    char *my_label = nullptr;
-
-    RUNNER_ASSERT(-1 != smack_new_label_from_self(&my_label));
-
-    if (my_label)
-        m_originalLabel = my_label;
-
-    free(my_label);
-
-    RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_policy.GetSmackLabel().c_str()),
-        "Error in smack_set_label_for_self(" << m_policy.GetSmackLabel() << ")");
+    m_processLabel.reset(new ScopedProcessLabel(m_policy.GetSmackLabel()));
  }
  
  void ChangeSmack::Revoke() {
-    RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_originalLabel.c_str()),
-        "Error in smack_set_label_for_self(" << m_originalLabel << ")");
+    m_processLabel.reset();
  }
  
  ChangeSmack::~ChangeSmack() {}
diff --git a/src/ckm-integration/process-settings/change-smack.h b/src/ckm-integration/process-settings/change-smack.h

index ac51199..937c101 100644 (file)
--- a/src/ckm-integration/process-settings/change-smack.h
+++ b/src/ckm-integration/process-settings/change-smack.h
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -16,14 +16,18 @@
  /*
   * @file       change-smack.h
   * @author     Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @author     Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
   * @version    1.0
   */
  #pragma once
  
  #include <string>
+#include <memory>
  
  #include <process-settings/policy.h>
  
+class ScopedProcessLabel;
+
  namespace ProcessSettings {
  
  class ChangeSmack {
@@ -34,7 +38,7 @@ public:
      virtual ~ChangeSmack();
  private:
      const Policy &m_policy;
-    std::string m_originalLabel;
+    std::unique_ptr<ScopedProcessLabel> m_processLabel;
  };
  
  } // namespace ProcessSettings
diff --git a/src/ckm-integration/process-settings/unlock-ckm.cpp b/src/ckm-integration/process-settings/unlock-ckm.cpp

index 78f9a6a..94ad371 100644 (file)
--- a/src/ckm-integration/process-settings/unlock-ckm.cpp
+++ b/src/ckm-integration/process-settings/unlock-ckm.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -44,7 +44,7 @@ void UnlockCkm::Apply() {
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->unlockUserKey(m_uid, "DummyPassword")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
  }
  
@@ -53,7 +53,7 @@ void UnlockCkm::Revoke() {
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->removeUserData(m_uid)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  UnlockCkm::~UnlockCkm() {}
diff --git a/src/ckm/CMakeLists.txt b/src/ckm/CMakeLists.txt

index fea09d3..97f1239 100644 (file)
--- a/src/ckm/CMakeLists.txt
+++ b/src/ckm/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2013-2018 Samsung Electronics Co., Ltd All Rights Reserved
+# Copyright (c) 2013-2019 Samsung Electronics Co., Ltd All Rights Reserved
  #
  #   Licensed under the Apache License, Version 2.0 (the "License");
  #   you may not use this file except in compliance with the License.
@@ -29,10 +29,19 @@ ENDIF (DEFINED SECURITY_MDFPP_STATE_ENABLED)
  
  ADD_DEFINITIONS("-DCKM_TEST_DIR=\"${CKM_TEST_DIR}\"")
  ADD_DEFINITIONS("-DCKM_RW_DATA_DIR=\"${CKM_RW_DATA_DIR}\"")
+OPTION("TZ_BACKEND" OFF)
+IF(TZ_BACKEND)
+    ADD_DEFINITIONS("-DTZ_BACKEND")
+ENDIF(TZ_BACKEND)
+
+OPTION("TZ_BACKEND" OFF)
+IF(TZ_BACKEND)
+    ADD_DEFINITIONS("-DTZ_BACKEND")
+ENDIF(TZ_BACKEND)
  
  PKG_CHECK_MODULES(CKM_TEST_COMMON_DEP
      REQUIRED
-    openssl
+    openssl1.1
      key-manager
      libtzplatform-config
  )
diff --git a/src/ckm/ckm-common.cpp b/src/ckm/ckm-common.cpp

index 914757c..714fa64 100644 (file)
--- a/src/ckm/ckm-common.cpp
+++ b/src/ckm/ckm-common.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@
  #include <string>
  #include <fstream>
  #include <sys/smack.h>
+#include <ckm/ckm-type.h>
  #include <ckmc/ckmc-type.h>
  #include <ckm-common.h>
  #include <tests_common.h>
@@ -30,6 +31,7 @@
  #include <ckmc/ckmc-manager.h>
  #include <fcntl.h>
  #include <unistd.h>
+#include <unordered_map>
  
  const std::string SMACK_USER_APP_PREFIX = "User::Pkg::";
  const char *SYSTEM_LABEL = ckmc_owner_id_system;
@@ -120,35 +122,6 @@ const char * CKMCErrorToString(int error) {
          default: return "Error not defined";
      }
  }
-
-const char * CKMErrorToString(int error) {
-    switch (error) {
-        ERRORDESCRIBE(CKM_API_SUCCESS);
-        ERRORDESCRIBE(CKM_API_ERROR_SOCKET);
-        ERRORDESCRIBE(CKM_API_ERROR_BAD_REQUEST);
-        ERRORDESCRIBE(CKM_API_ERROR_BAD_RESPONSE);
-        ERRORDESCRIBE(CKM_API_ERROR_SEND_FAILED);
-        ERRORDESCRIBE(CKM_API_ERROR_RECV_FAILED);
-        ERRORDESCRIBE(CKM_API_ERROR_AUTHENTICATION_FAILED);
-        ERRORDESCRIBE(CKM_API_ERROR_INPUT_PARAM);
-        ERRORDESCRIBE(CKM_API_ERROR_BUFFER_TOO_SMALL);
-        ERRORDESCRIBE(CKM_API_ERROR_OUT_OF_MEMORY);
-        ERRORDESCRIBE(CKM_API_ERROR_ACCESS_DENIED);
-        ERRORDESCRIBE(CKM_API_ERROR_SERVER_ERROR);
-        ERRORDESCRIBE(CKM_API_ERROR_DB_LOCKED);
-        ERRORDESCRIBE(CKM_API_ERROR_DB_ERROR);
-        ERRORDESCRIBE(CKM_API_ERROR_DB_ALIAS_EXISTS);
-        ERRORDESCRIBE(CKM_API_ERROR_DB_ALIAS_UNKNOWN);
-        ERRORDESCRIBE(CKM_API_ERROR_VERIFICATION_FAILED);
-        ERRORDESCRIBE(CKM_API_ERROR_INVALID_FORMAT);
-        ERRORDESCRIBE(CKM_API_ERROR_FILE_ACCESS_DENIED);
-        ERRORDESCRIBE(CKM_API_ERROR_NOT_EXPORTABLE);
-        ERRORDESCRIBE(CKM_API_ERROR_FILE_SYSTEM);
-        ERRORDESCRIBE(CKM_API_ERROR_NOT_SUPPORTED);
-        ERRORDESCRIBE(CKM_API_ERROR_UNKNOWN);
-        default: return "Error not defined";
-    }
-}
  #undef ERRORDESCRIBE
  
  std::string CKMCReadableError(int error) {
@@ -159,12 +132,8 @@ std::string CKMCReadableError(int error) {
      return output;
  }
  
-void save_data(const char* alias, const char *data, int expected_err)
-{
-    save_data(alias, data, strlen(data), expected_err);
-}
-
-void save_data(const char* alias, const char *data, size_t len, int expected_err = CKMC_ERROR_NONE)
+void save_data(const char* alias, const char *data, size_t len, const char* password,
+               int expected_err, bool exportable)
  {
      RUNNER_ASSERT(alias);
      RUNNER_ASSERT(data);
@@ -173,14 +142,22 @@ void save_data(const char* alias, const char *data, size_t len, int expected_err
      buffer.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
      buffer.size = len;
      ckmc_policy_s policy;
-    policy.password = NULL;
-    policy.extractable = true;
-
+    policy.password = const_cast<char*>(password);
+    policy.extractable = exportable;
      int ret = ckmc_save_data(alias, buffer, policy);
      RUNNER_ASSERT_MSG(expected_err == ret, "Saving data failed. "
-                        << CKMCErrorToString(ret) << " while expected: "
-                        << CKMCErrorToString(expected_err));
+                      << CKMCErrorToString(ret) << " while expected: "
+                      << CKMCErrorToString(expected_err));
+}
  
+void save_data(const char* alias, const char *data, int expected_err, bool exportable)
+{
+    save_data(alias, data, strlen(data), nullptr, expected_err, exportable);
+}
+
+void save_data(const char* alias, const char *data, size_t len, int expected_err, bool exportable)
+{
+    save_data(alias, data, len, nullptr, expected_err, exportable);
  }
  
  ScopedSaveData::ScopedSaveData(const char* alias, const char *data, int expected_err) : m_alias(alias)
@@ -363,7 +340,7 @@ void unlock_user_data(uid_t user_id, const char *passwd)
      int ret;
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (ret = control->unlockUserKey(user_id, passwd)),
-                      "Error=" << CKMErrorToString(ret));
+                      "Error=" << CKM::APICodeToString(ret));
  }
  
  void remove_user_data(uid_t user_id)
@@ -405,6 +382,74 @@ void check_alias_list(const CKM::AliasVector& expected)
      RUNNER_ASSERT_MSG(expected == actual, "Actual list of aliases differ from expected list.");
  }
  
+void check_alias_info_list_helper(const CKM::AliasPwdVector& expected, const CKM::AliasPwdVector& actual,
+        const std::string userSmackLabel)
+{
+    std::string errorLogMsg;
+    std::unordered_map<std::string, bool> aliasPwdMap;
+
+    RUNNER_ASSERT_MSG(expected.size() == actual.size(), "Aliases item count differs, expected: " <<
+        expected.size() << " actual: " << actual.size());
+
+    for (const auto &it : actual)
+    {
+        aliasPwdMap[std::get<0>(it)] = std::get<1>(it);
+    }
+
+
+    for (const auto &it : expected)
+    {
+        auto aliasPwd = aliasPwdMap.find(userSmackLabel + std::get<0>(it));
+        if (aliasPwd != aliasPwdMap.end()) {
+            if (aliasPwd->second != std::get<1>(it)) {
+                errorLogMsg += "Alias: " + std::get<0>(it) + " has wrong encryption status: "
+                                + std::to_string(std::get<1>(it)) + "\n";
+            }
+        }
+        else {
+            errorLogMsg += "Expected alias: " + std::get<0>(it) + " not found.\n";
+        }
+    }
+
+    if (!errorLogMsg.empty()) {
+        for (const auto &it : actual)
+        {
+            errorLogMsg += "Actual alias: " + std::get<0>(it) + " status: "
+                + std::to_string(std::get<1>(it)) + "\n";
+        }
+        RUNNER_FAIL_MSG("Actual list of aliases differ from expected list.\n" + errorLogMsg);
+    }
+}
+
+void check_alias_info_list(const CKM::AliasPwdVector& expected, const std::string& userSmackLabel)
+{
+    ckmc_alias_info_list_s *aliasInfoList = NULL;
+    int ret = ckmc_get_data_alias_info_list(&aliasInfoList);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get the list of data aliases. " << ret << " / "
+                      << CKMCErrorToString(ret));
+
+    CKM::AliasPwdVector actual;
+    ckmc_alias_info_list_s *plist = aliasInfoList;
+    char* alias;
+    bool isPasswordProtected;
+    unsigned int it = 0;
+    while (plist)
+    {
+        ret = ckmc_alias_info_get_alias(plist->info, &alias);
+        RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get alias. " << ret << " / "
+                          << CKMCErrorToString(ret));
+        ret = ckmc_alias_info_is_password_protected(plist->info, &isPasswordProtected);
+        RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get password protection status" << ret << " / "
+                          << CKMCErrorToString(ret));
+        RUNNER_ASSERT_MSG(alias != nullptr, "Got null alias. Iterator: " << it);
+        actual.push_back(std::make_pair(alias, isPasswordProtected));
+        plist = plist->next;
+        it++;
+    }
+    ckmc_alias_info_list_all_free(aliasInfoList);
+    check_alias_info_list_helper(expected, actual, userSmackLabel);
+}
+
  size_t count_aliases(alias_type_ type, size_t minimum_initial_element_count)
  {
      ckmc_alias_list_s *aliasList = NULL;
@@ -534,3 +579,10 @@ RawBufferPtr create_raw_buffer(ckmc_raw_buffer_s* buffer)
  {
      return RawBufferPtr(buffer, ckmc_buffer_free);
  }
+
+CKM::Policy generate_ckm_policy(int iterator_nr) {
+    if (iterator_nr % 2) { // policy with password and with / without extractable flag
+        return CKM::Policy(CKM::Password("test_pwd"), iterator_nr % 4);
+    }
+    return CKM::Policy();
+}
diff --git a/src/ckm/ckm-common.h b/src/ckm/ckm-common.h

index d5f6081..69120c9 100644 (file)
--- a/src/ckm/ckm-common.h
+++ b/src/ckm/ckm-common.h
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -41,7 +41,6 @@ extern const char *TEST_LABEL_5;
  
  // support for error printing
  const char * CKMCErrorToString(int error);
-const char * CKMErrorToString(int error);
  std::string CKMCReadableError(int error);
  
  // RUNNER_ASSERT wrappers
@@ -90,8 +89,12 @@ std::string aliasWithLabel(const char *label, const char *alias);
  
  std::string aliasWithLabelFromSelf(const char *alias);
  
-void save_data(const char* alias, const char *data, int expected_err = CKMC_ERROR_NONE);
-void save_data(const char* alias, const char *data, size_t len, int expected_err);
+void save_data(const char* alias, const char *data, size_t len, const char* password,
+               int expected_err = CKMC_ERROR_NONE, bool exportable = true);
+void save_data(const char* alias, const char *data, int expected_err = CKMC_ERROR_NONE,
+               bool exportable = true);
+void save_data(const char* alias, const char *data, size_t len,
+               int expected_err = CKMC_ERROR_NONE, bool exportable = true);
  class ScopedSaveData
  {
  public:
@@ -144,6 +147,10 @@ void reset_user_data(uid_t user_id, const char *passwd);
  
  ckmc_raw_buffer_s prepare_message_buffer(const char * input);
  void check_alias_list(const CKM::AliasVector& expected);
+void check_alias_info_list_helper(const CKM::AliasPwdVector& expected, const CKM::AliasPwdVector& actual,
+                                  const std::string userSmackLabel = "");
+void check_alias_info_list(const CKM::AliasPwdVector& expected,
+                           const std::string& userSmackLabel = "");
  
  typedef enum {
      ALIAS_KEY,
@@ -158,6 +165,7 @@ ckmc_raw_buffer_s* createRandomBufferCAPI(size_t random_bytes);
  ckmc_key_s *generate_AES_key(size_t lengthBits, const char *passwd);
  void validate_AES_key(ckmc_key_s *analyzed);
  void compare_AES_keys(ckmc_key_s *first, ckmc_key_s *second); // true if equal
+CKM::Policy generate_ckm_policy(int iterator_nr); // generates policy based on given number
  
  // Test env class for database cleanup. Pass database uids to cleanup before and after test
  template <uid_t ...Args>
diff --git a/src/ckm/keys/pkcs12.tgz b/src/ckm/keys/pkcs12.tgz

deleted file mode 100644 (file)

index 0dfe5e2..0000000

Binary files a/src/ckm/keys/pkcs12.tgz and /dev/null differ
diff --git a/src/ckm/keys/pkcs12/HOWTO.txt b/src/ckm/keys/pkcs12/HOWTO.txt

new file mode 100644 (file)

index 0000000..b1af637
--- /dev/null
+++ b/src/ckm/keys/pkcs12/HOWTO.txt
@@ -0,0 +1,131 @@
+This guideline explains how src/resource/pkcs.p12 is generated.
+
+
+The certificate chain looks as follows (arrow denotes the signing):
+
+SERVER <-- CA_INT <-- CA
+
+That is the CA is a root CA, CA_INT is an intermediate/1st level CA,
+and SERVER is a final/2nd level CA.
+
+
+Files:
+- ca.key, CA's private key used to sign CA_INT certificate
+- ca.crt, CA's certificate used to verify a certificate chain (it's
+  the last certificate in the chain)
+- ca-int.key, CA_INT's private key used to sign SERVER certificate
+- ca-int.csr, CA_INT's certificate signing request (to be signed with
+  ca.key)
+- ca-int.crt, CA_INT's certificate signed by CA
+- server.key, SERVER's private key used to sign client certificates
+- server.csr, SERVER's certificate signing request (to be signed with
+  ca-int.key)
+- server.crt, SERVER's certificate signed by CA_INT
+- chain.pem, chain of CA, CA_INT and SERVER certificates in PEM format
+  (can be used for validation)
+
+
+Keys should be left untouched. In case they are lost they can be
+regenerated with:
+
+ openssl genrsa -out ca.key 1024 (or any other lenght)
+
+
+Certificate signing requests
+
+ Each certificate must have a different Common Name (CN). The command
+ for CSR generation will prompt you for it (and for other fields).
+
+
+Openssl ca setup
+
+ Openssl 1.1.1 requires root and intermediate CA certficates (that is
+ all 3 of above) to have a 'CA' set to 'true' in basicConstraints
+ extension. It applies to trusted certificates as well. The 'openssl
+ ca' tool allows that with proper configuration. Modifications in
+ /etc/ssl/openssl.cnf in [ CA_default ] section:
+ - set 'x509_extensions' to 'v3_ca' to add the v3 CA extension,
+ - set 'policy' to 'policy_anything' to get rid of strict CSR field
+ matching rules.
+
+ Before 'openssl ca' can be used you have to provide a proper
+ directory structure for it. By default it needs a following hierarchy
+ in ./demoCA (paths can be modified in /etc/ssl/openssl.cnf):
+ - demoCA/
+   - private/
+     - cakey.pem - The private key used to sign the certificate. For
+       ca-int.csr it will be ca.key.
+   - cacert.pem - The certificate of the signing CA. For ca-int.csr it
+     will be ca.crt.
+   - index.txt - Empty file (touch index.txt)
+   - serial - A file with serial number (echo 1000 > serial)
+
+
+Certificate generation
+
+- CA:
+
+ Generate a self signed certificate (root ca):
+
+  openssl req -key ca.key -new -x509 -days 3650 -sha256 -out ca.crt
+
+- CA_INT:
+
+ Generate a signing request:
+
+  openssl req -new -key ca.key -out ca-int.csr
+
+ Sign the certificate using CA:
+
+  openssl ca -days 3650 -notext -md sha256 -in ca-int.csr -out \
+  ca-int.crt
+
+- SERVER:
+
+ Generate a signing request:
+
+  openssl req -new -key ca-int.key -out server.csr
+
+ Sign the certificate using CA_INT:
+
+  openssl ca -days 3650 -notext -md sha256 -in server.csr -out \
+  server.crt
+
+
+Export server private key, certificate and the rest of the chain to
+pkcs12:
+
+ cat ca.crt ca-int.crt > chain.pem
+
+ openssl pkcs12 -export -out pkcs.p12 -inkey server.key -in server.crt \
+ -certfile chain.pem
+
+
+Useful commands
+
+- Display certificate info
+
+ openssl x509 -in ca.crt -text -noout
+
+- Display csr info
+
+ openssl req -in ca-int.csr -text -noout
+
+- Display pkcs12 contents in PEM format
+
+ openssl pkcs12 -in pkcs.p12 -info
+
+- Display certificate purpose
+
+ openssl x509 -in ca.crt -purpose
+
+- Sign a client's certificate with server one:
+
+ openssl req -new -key server.key -out client.csr
+ openssl x509 -req -in client.csr -CA server.crt -CAkey server.key \
+ -CAcreateserial -out client.crt -days 3650
+
+- Verify a certficate against a local chain
+
+ openssl verify -CAfile chain.pem client.crt
+
diff --git a/src/ckm/keys/pkcs12/ca-int.crt b/src/ckm/keys/pkcs12/ca-int.crt

new file mode 100644 (file)

index 0000000..dea0763
--- /dev/null
+++ b/src/ckm/keys/pkcs12/ca-int.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtzCCAiCgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlBM
+MQ8wDQYDVQQIDAZQb2xhbmQxDzANBgNVBAcMBldhcnNhdzEQMA4GA1UECgwHU2Ft
+c3VuZzEMMAoGA1UECwwDS1NGMRMwEQYDVQQDDAptLmthcnBpdWsyMSUwIwYJKoZI
+hvcNAQkBFhZtLmthcnBpdWsyQHNhbXN1bmcuY29tMB4XDTE5MDYxMzExNTQ0OFoX
+DTI5MDYxMDExNTQ0OFowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3Rh
+dGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwR
+Y2EtaW50QHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOEp
+AxNNreF+HPTPznNdeUpcwXfJf5sDjfC9p648jDbiwu8fyEpWQyg1XnhoGc3ZST7o
+u3c3oJq89rw5L8c4vxG6QHXE3NHzZOFpvu+tpyIcfoToBRUiKEmpt60SmixA9VVX
+C9pUGRyUnjDI4Wuv2ZNw04lYgIGE9jdSMA+dSKYfAgMBAAGjUzBRMB0GA1UdDgQW
+BBSvHyNEVaNf2+iZ79oCpVmniojtLzAfBgNVHSMEGDAWgBSIkmgdQrVdA6+R4OHY
+kc1mlXOu7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAEo7oCMW
+gApPBjArw/AyPWw4vxLH6U7/kxJFThVu5b1/6bwEpE8hHK9FRuCZKw1ydegyuuO8
+7JgshhHGBlDECa3INdshCk2xi02SDjWZhxJU8r0eIrji2PxqBI3fEpF2067K2DUS
+vA1tUP253JYcln+xHxbZDUtzaoXM7LmN9tWx
+-----END CERTIFICATE-----
diff --git a/src/ckm/keys/pkcs12/ca-int.csr b/src/ckm/keys/pkcs12/ca-int.csr

new file mode 100644 (file)

index 0000000..ecd6d3e
--- /dev/null
+++ b/src/ckm/keys/pkcs12/ca-int.csr
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBoTCCAQoCAQAwYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRY2Et
+aW50QHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOEpAxNN
+reF+HPTPznNdeUpcwXfJf5sDjfC9p648jDbiwu8fyEpWQyg1XnhoGc3ZST7ou3c3
+oJq89rw5L8c4vxG6QHXE3NHzZOFpvu+tpyIcfoToBRUiKEmpt60SmixA9VVXC9pU
+GRyUnjDI4Wuv2ZNw04lYgIGE9jdSMA+dSKYfAgMBAAGgADANBgkqhkiG9w0BAQsF
+AAOBgQC8b7cVVV4z5Bp/XxowzlfhMGL17EE2vgMwpCNNQ+fOpPrrEwmhyg0I4R5+
+iXrnxELVI/cqBUpS84ZHBlNgQAS8F9Wx6AU0yEUBcNqJiMjUreA56VZAfGb+/Sv+
+t6ZQrYtof38aaHfMxhYlCsZzuKGNWvQsLAgxvlBQgHEW9xsqHQ==
+-----END CERTIFICATE REQUEST-----
diff --git a/src/ckm/keys/pkcs12/ca-int.key b/src/ckm/keys/pkcs12/ca-int.key

new file mode 100644 (file)

index 0000000..0b3b26e
--- /dev/null
+++ b/src/ckm/keys/pkcs12/ca-int.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXwIBAAKBgQDhKQMTTa3hfhz0z85zXXlKXMF3yX+bA43wvaeuPIw24sLvH8hK
+VkMoNV54aBnN2Uk+6Lt3N6CavPa8OS/HOL8RukB1xNzR82Thab7vraciHH6E6AUV
+IihJqbetEposQPVVVwvaVBkclJ4wyOFrr9mTcNOJWICBhPY3UjAPnUimHwIDAQAB
+AoGBAMvEP+JCVHBTn4T2Y5IIL/JaS0RK+M6iwtvx50RJy2MIiP27N5n+wzwqQFqb
+a27di+oA2Vck4pXnGSxyXIjhFBgWdLmryJM44DSVlWanb5n2A1GW291MGA8bGR/H
+TCbsuaEm3Z2ggFighQAp2Zuao2lKuMDOgOzpu+0k7lqtfsqxAkEA8ZHC7ocrlRtM
+EzafCi1htuwl9t02Do1q+wn8u5kbKPJ7q4ZNm/sUECfHBE7SbwxNxIEWKuZ5U8V4
+A42VPnO9gwJBAO6cT4IdILqxfxNPd97DY+rT64O/mPIJGC3cmDonf4kc+RuaqbT+
+D9WKp1cwmoeaJDrWbWFWi3cjBrrLd6JxzjUCQQC7s8Heq6Mesd4z065SLx8NDoMV
+RZ+aQSJOO91oOzhSYc/cYHfvanGVeAL5AvIaHVpUBOWfogPGJtrxD9NWeoJXAkEA
+n4CLwZ15AHOgT6dCqP2R8Crjd3l/YuPjbtzUQaOfpGdiuiokIaHnscZy4FzUH6tR
+ZqdqDLROnEAkwn86pLNQtQJBAOAsXPLUpVuJEtPZB1CNLdFkRqkqgFNPnGSIUnTp
++f5H8AHCb1tX/QllL3s6phZ9qds0qrwNxQzgiVATXZyRov4=
+-----END RSA PRIVATE KEY-----
diff --git a/src/ckm/keys/pkcs12/ca.crt b/src/ckm/keys/pkcs12/ca.crt

new file mode 100644 (file)

index 0000000..301187d
--- /dev/null
+++ b/src/ckm/keys/pkcs12/ca.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAk+gAwIBAgIJAOMDgLjsxef2MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
+VQQGEwJQTDEPMA0GA1UECAwGUG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNV
+BAoMB1NhbXN1bmcxDDAKBgNVBAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjEl
+MCMGCSqGSIb3DQEJARYWbS5rYXJwaXVrMkBzYW1zdW5nLmNvbTAeFw0xNDExMTMx
+MTExNDFaFw0yNDExMTAxMTExNDFaMIGLMQswCQYDVQQGEwJQTDEPMA0GA1UECAwG
+UG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNVBAoMB1NhbXN1bmcxDDAKBgNV
+BAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjElMCMGCSqGSIb3DQEJARYWbS5r
+YXJwaXVrMkBzYW1zdW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+9VvZ3lG1y9a56vUr8s6a44VgSl8mCkIqxt1ds8lJ1GhNuEqtiL+yEq8DDfxulnI6
+xpnmQxFsKy+M14dNNjfAQ9cGiT0aJ8cLVZIRct3phmrUpse3iHpcuR/jwTSJkbwY
+druBloGujhF3FDXX2gVHMZ/j+uePP86Q4cjS80CpORcCAwEAAaNQME4wHQYDVR0O
+BBYEFIiSaB1CtV0Dr5Hg4diRzWaVc67uMB8GA1UdIwQYMBaAFIiSaB1CtV0Dr5Hg
+4diRzWaVc67uMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAXTvQ6fhZ
+SZhfd1DsNx+85ikyvPnSAffOWghJjJA2BMaHdKvoSJTHgBn29BmQSz0kSUM4GOM3
+ikD3aSEaqGJWXVUXxAx8vTe8qFfqr9RE0WsBmPPuWa2fwUaq2ttW5Je4UBs/9jiA
+2UqgKbtqxvacHpGFoM86QxgV+52AA+Bwfzw=
+-----END CERTIFICATE-----
diff --git a/src/ckm/keys/pkcs12/ca.key b/src/ckm/keys/pkcs12/ca.key

new file mode 100644 (file)

index 0000000..234a51a
--- /dev/null
+++ b/src/ckm/keys/pkcs12/ca.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQD1W9neUbXL1rnq9SvyzprjhWBKXyYKQirG3V2zyUnUaE24Sq2I
+v7ISrwMN/G6WcjrGmeZDEWwrL4zXh002N8BD1waJPRonxwtVkhFy3emGatSmx7eI
+ely5H+PBNImRvBh2u4GWga6OEXcUNdfaBUcxn+P6548/zpDhyNLzQKk5FwIDAQAB
+AoGAR+4WkBuqTUj1FlGsAbHaLKt0UDlWwJknS0eoacWwFEpDxqx19WolfV67aYVA
+snBolMKXg7/+0yZMhv8Ofr+XaHkPQplVVn9BwT0rmtEovJXwx+poRP9Bm3emglj/
+iYd8EkaXDlIXCtewtQW9JEIctWppntHj3TvA/h7FCXPN6SkCQQD/N7sn5S1gBkVh
+dyXQKoyKsZDb7hMIS1q6cKwYCMf2UrsD1/lnr7xXkvORdL213MfueO8g0WkuKfRY
+bDD6WGX1AkEA9hxiOlsgvermqLJkOlJffbSaM8n/6wtnM0HV+Vd9NfSBOmxFDXPO
+vrvdgiDPENhbqTJSQVDsfzHilTpK7lEvWwJBAJLxHoOg0tg3pBiyxgWtic+M3q+R
+ykl7QViY6KzJ2X98MIrM/Z7yMollZXE4+sVLwZ0O6fdGOr3GkBWc7TImVUUCQQC7
+pf6bQfof9Ce0fnf/I+ldHkPost7nJsWkBlGQkM2OQwP5OK4ZyK/dK76DxmI7FMwm
+oJCo7nuzq6R4ZX7WYJ47AkBavxBDo/e9/0Vk5yrloGKW3f8RQXBJLcCkVUGyyJ3D
+3gu/nafW4hzjSJniTjC1fOj0eb0OSg1JAvqHTYAnUsI7
+-----END RSA PRIVATE KEY-----
diff --git a/src/ckm/keys/pkcs12/chain.pem b/src/ckm/keys/pkcs12/chain.pem

new file mode 100644 (file)

index 0000000..b4b75e6
--- /dev/null
+++ b/src/ckm/keys/pkcs12/chain.pem
@@ -0,0 +1,51 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAk+gAwIBAgIJAOMDgLjsxef2MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
+VQQGEwJQTDEPMA0GA1UECAwGUG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNV
+BAoMB1NhbXN1bmcxDDAKBgNVBAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjEl
+MCMGCSqGSIb3DQEJARYWbS5rYXJwaXVrMkBzYW1zdW5nLmNvbTAeFw0xNDExMTMx
+MTExNDFaFw0yNDExMTAxMTExNDFaMIGLMQswCQYDVQQGEwJQTDEPMA0GA1UECAwG
+UG9sYW5kMQ8wDQYDVQQHDAZXYXJzYXcxEDAOBgNVBAoMB1NhbXN1bmcxDDAKBgNV
+BAsMA0tTRjETMBEGA1UEAwwKbS5rYXJwaXVrMjElMCMGCSqGSIb3DQEJARYWbS5r
+YXJwaXVrMkBzYW1zdW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+9VvZ3lG1y9a56vUr8s6a44VgSl8mCkIqxt1ds8lJ1GhNuEqtiL+yEq8DDfxulnI6
+xpnmQxFsKy+M14dNNjfAQ9cGiT0aJ8cLVZIRct3phmrUpse3iHpcuR/jwTSJkbwY
+druBloGujhF3FDXX2gVHMZ/j+uePP86Q4cjS80CpORcCAwEAAaNQME4wHQYDVR0O
+BBYEFIiSaB1CtV0Dr5Hg4diRzWaVc67uMB8GA1UdIwQYMBaAFIiSaB1CtV0Dr5Hg
+4diRzWaVc67uMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAXTvQ6fhZ
+SZhfd1DsNx+85ikyvPnSAffOWghJjJA2BMaHdKvoSJTHgBn29BmQSz0kSUM4GOM3
+ikD3aSEaqGJWXVUXxAx8vTe8qFfqr9RE0WsBmPPuWa2fwUaq2ttW5Je4UBs/9jiA
+2UqgKbtqxvacHpGFoM86QxgV+52AA+Bwfzw=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICtzCCAiCgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlBM
+MQ8wDQYDVQQIDAZQb2xhbmQxDzANBgNVBAcMBldhcnNhdzEQMA4GA1UECgwHU2Ft
+c3VuZzEMMAoGA1UECwwDS1NGMRMwEQYDVQQDDAptLmthcnBpdWsyMSUwIwYJKoZI
+hvcNAQkBFhZtLmthcnBpdWsyQHNhbXN1bmcuY29tMB4XDTE5MDYxMzExNTQ0OFoX
+DTI5MDYxMDExNTQ0OFowYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3Rh
+dGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwR
+Y2EtaW50QHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOEp
+AxNNreF+HPTPznNdeUpcwXfJf5sDjfC9p648jDbiwu8fyEpWQyg1XnhoGc3ZST7o
+u3c3oJq89rw5L8c4vxG6QHXE3NHzZOFpvu+tpyIcfoToBRUiKEmpt60SmixA9VVX
+C9pUGRyUnjDI4Wuv2ZNw04lYgIGE9jdSMA+dSKYfAgMBAAGjUzBRMB0GA1UdDgQW
+BBSvHyNEVaNf2+iZ79oCpVmniojtLzAfBgNVHSMEGDAWgBSIkmgdQrVdA6+R4OHY
+kc1mlXOu7jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAEo7oCMW
+gApPBjArw/AyPWw4vxLH6U7/kxJFThVu5b1/6bwEpE8hHK9FRuCZKw1ydegyuuO8
+7JgshhHGBlDECa3INdshCk2xi02SDjWZhxJU8r0eIrji2PxqBI3fEpF2067K2DUS
+vA1tUP253JYcln+xHxbZDUtzaoXM7LmN9tWx
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICjDCCAfWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYTELMAkGA1UEBhMCQVUx
+EzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEaMBgGA1UEAwwRY2EtaW50QHRlc3RtZS5jb20wHhcNMTkwNjEzMTIw
+NzU5WhcNMjkwNjEwMTIwNzU5WjBhMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t
+ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRowGAYD
+VQQDDBFzZXJ2ZXJAdGVzdG1lLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAw4Jj7q00Gt8G55TPvZwhEL4Q74mEb0gvUy+ZQDAQpgUpfd79FAV1rKjvn5gC
+DZuUCWvPYReTe0OMbb30iVDyHss6MEzhBjOFNxZybZbDULKDWxZTckC6GWZpmOJY
+xuv2Kl/iRgYEvfyfLr2g1pL7PpLZDkcoHzc+BouQxEU+3nkCAwEAAaNTMFEwHQYD
+VR0OBBYEFE8OYEtgOx9klZOaDcNJF6nkfeE6MB8GA1UdIwQYMBaAFK8fI0RVo1/b
+6Jnv2gKlWaeKiO0vMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEA
+pkpwMYqyEFl1fPGHbub4ieDxm9U+KSkMOoB3pB5atqvP4LJj7sGQL6qnRYiL5er3
+cyBaIQdKt/NqWR4LKrLGPsfIbtDesRAP8HfG5ZfxiRr4Z4PhdMzO4XVSihuoGUoh
+DfQkQRjWw60PKpc9uQypCcHY5yWu/b+lPL5ydXKyU5o=
+-----END CERTIFICATE-----
diff --git a/src/ckm/keys/pkcs12/server.crt b/src/ckm/keys/pkcs12/server.crt

new file mode 100644 (file)

index 0000000..40b6b69
--- /dev/null
+++ b/src/ckm/keys/pkcs12/server.crt
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICjDCCAfWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYTELMAkGA1UEBhMCQVUx
+EzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg
+UHR5IEx0ZDEaMBgGA1UEAwwRY2EtaW50QHRlc3RtZS5jb20wHhcNMTkwNjEzMTIw
+NzU5WhcNMjkwNjEwMTIwNzU5WjBhMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t
+ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRowGAYD
+VQQDDBFzZXJ2ZXJAdGVzdG1lLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAw4Jj7q00Gt8G55TPvZwhEL4Q74mEb0gvUy+ZQDAQpgUpfd79FAV1rKjvn5gC
+DZuUCWvPYReTe0OMbb30iVDyHss6MEzhBjOFNxZybZbDULKDWxZTckC6GWZpmOJY
+xuv2Kl/iRgYEvfyfLr2g1pL7PpLZDkcoHzc+BouQxEU+3nkCAwEAAaNTMFEwHQYD
+VR0OBBYEFE8OYEtgOx9klZOaDcNJF6nkfeE6MB8GA1UdIwQYMBaAFK8fI0RVo1/b
+6Jnv2gKlWaeKiO0vMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEA
+pkpwMYqyEFl1fPGHbub4ieDxm9U+KSkMOoB3pB5atqvP4LJj7sGQL6qnRYiL5er3
+cyBaIQdKt/NqWR4LKrLGPsfIbtDesRAP8HfG5ZfxiRr4Z4PhdMzO4XVSihuoGUoh
+DfQkQRjWw60PKpc9uQypCcHY5yWu/b+lPL5ydXKyU5o=
+-----END CERTIFICATE-----
diff --git a/src/ckm/keys/pkcs12/server.csr b/src/ckm/keys/pkcs12/server.csr

new file mode 100644 (file)

index 0000000..11fc7f9
--- /dev/null
+++ b/src/ckm/keys/pkcs12/server.csr
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBoTCCAQoCAQAwYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEaMBgGA1UEAwwRc2Vy
+dmVyQHRlc3RtZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOCY+6t
+NBrfBueUz72cIRC+EO+JhG9IL1MvmUAwEKYFKX3e/RQFdayo75+YAg2blAlrz2EX
+k3tDjG299IlQ8h7LOjBM4QYzhTcWcm2Ww1Cyg1sWU3JAuhlmaZjiWMbr9ipf4kYG
+BL38ny69oNaS+z6S2Q5HKB83PgaLkMRFPt55AgMBAAGgADANBgkqhkiG9w0BAQsF
+AAOBgQCY3jWaE33hy1JVni9bLCUYwOz6VJVV8d1WWpSf7CpIgrXUQFPOIfO71jlf
+Vn99iYCUIodq+9M9dyeNoU1mkAp2LpG3Y3DjePpIyM3zLLEM/CmQ9ZbuS/zKl5fO
+KoItsRl0uFJEEEHw7lWxdRuIvzix5SFxTApiMPktjtCs/9eAew==
+-----END CERTIFICATE REQUEST-----
diff --git a/src/ckm/keys/pkcs12/server.key b/src/ckm/keys/pkcs12/server.key

new file mode 100644 (file)

index 0000000..a1197d7
--- /dev/null
+++ b/src/ckm/keys/pkcs12/server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQDDgmPurTQa3wbnlM+9nCEQvhDviYRvSC9TL5lAMBCmBSl93v0U
+BXWsqO+fmAINm5QJa89hF5N7Q4xtvfSJUPIeyzowTOEGM4U3FnJtlsNQsoNbFlNy
+QLoZZmmY4ljG6/YqX+JGBgS9/J8uvaDWkvs+ktkORygfNz4Gi5DERT7eeQIDAQAB
+AoGAARIqx/js6yTDnesjxC8hwzy3TQic0Bs+Hx+IoGBjBvXKR2U8T6rD/UEjpuUn
+RbnPcsnDZg3CAg/ZqhQ7TbFC0kPo+S6+wKsZGDWUUvnpMkdcZUqXel8GFhdnmeIh
+22vYthP4TCbolxwXlwvuhu0PLZWhRO/Z+g37T3QENexqGv0CQQDmqJ9PDoUj5eUR
+wWEqEPraoU6ARBUUX5EhmTT9g9/BXnhwumIOksDHcBqNUwNOlKCUlWfBOelO93Ys
+PRW3QyejAkEA2P0tW/8iU4j+0a6DV+TUYFDTjD29y8KPw0Aj59591xD5eIPK3IgU
+91vnmtvU/QR26PnMOx4OAPk9a7BtN62zMwJAIFV0950edtjMUr/cAgydTbadDYf9
+uHxpGN+kOQGahT3b/llyU36o/YwufK8tYH+fPxTulXyrwwEXlL3/ZFBKpwJAeLGS
+Wlp2WGqZ+j2MdwYkDxLGKHprKHwnBN6XWjCKZGbfrGX6H2Jd7xyinaNrO/UQwxO2
+wqc7+NSpkk3G4jJuuwJAODYlk2Q+djE4jkjDc4xiqsQGBQlI2dlgzjRjIF4HWiLx
+bIrI0uCCbGItx++hlvmDx7G8anBmIFfBWIaKdX0aWw==
+-----END RSA PRIVATE KEY-----
diff --git a/src/ckm/privileged/CMakeLists.txt b/src/ckm/privileged/CMakeLists.txt

index a7ac264..705562c 100644 (file)
--- a/src/ckm/privileged/CMakeLists.txt
+++ b/src/ckm/privileged/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2013-2015 Samsung Electronics Co., Ltd All Rights Reserved
+# Copyright (c) 2013-2019 Samsung Electronics Co., Ltd All Rights Reserved
  #
  #   Licensed under the Apache License, Version 2.0 (the "License");
  #   you may not use this file except in compliance with the License.
@@ -14,8 +14,68 @@
  #
  # @file        CMakeLists.txt
  # @author      Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+# @author      Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
  # @brief
  #
+
+INCLUDE(GNUInstallDirs)
+
+SET(EIV_TEST_XML_FILENAME "encrypted_initial_values.xml")
+SET(EIV_TEST_XML ${CMAKE_CURRENT_SOURCE_DIR}/${EIV_TEST_XML_FILENAME})
+SET(EIV_KEY_TO_BE_IMPORTED "KeyOne16BytesLen")
+SET(EIV_PLAIN_MESSAGE "ShortTestMessage")
+SET(EIV_MESSAGE_ENCRYPTION_IV "abcdefghijklmnop")
+
+SET(EIV_TEST_ASYM_XML_FILENAME "encrypted_initial_values_asym.xml")
+SET(EIV_TEST_ASYM_XML ${CMAKE_CURRENT_SOURCE_DIR}/${EIV_TEST_ASYM_XML_FILENAME})
+
+# encrypt ShortTestMessage using the imported key and 'abcdefghijklmnop' IV
+EXECUTE_PROCESS(
+    COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/aes_128_cbc_encrypt.sh ${EIV_KEY_TO_BE_IMPORTED} ${EIV_MESSAGE_ENCRYPTION_IV}
+    OUTPUT_VARIABLE EIV_ENCRYPTED_MESSAGE_HEX
+    ERROR_VARIABLE EIV_ENCRYPTION_STDERR
+    RESULT_VARIABLE EIV_ENCRYPTION_RESULT
+)
+
+IF(NOT ${EIV_ENCRYPTION_RESULT} STREQUAL "0")
+    MESSAGE(FATAL_ERROR "Encryption failed: ${EIV_ENCRYPTION_STDERR}")
+ENDIF(NOT ${EIV_ENCRYPTION_RESULT} STREQUAL "0")
+
+SET(EIV_FILES ${EIV_TEST_XML} ${EIV_TEST_ASYM_XML})
+
+# prepare initial values xml target
+ADD_CUSTOM_COMMAND(OUTPUT ${EIV_FILES}
+    COMMAND echo -n THIS/STRING/MUST/BE/REPLACED/IN/REAL/DEVICE= | base64 --decode > /tmp/encryption_key
+
+    COMMAND echo -n ${EIV_KEY_TO_BE_IMPORTED} > /tmp/key
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/key -k /tmp/encryption_key -n TEI_0 -t Key -s AES -b hardware > ${EIV_TEST_XML}
+
+    COMMAND openssl genpkey -algorithm RSA -outform DER > /tmp/prvkey
+    COMMAND openssl rsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_RSA_PRV -t Key -s RSA_PRV > ${EIV_TEST_ASYM_XML}
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_RSA_PUB -t Key -s RSA_PUB -x ${EIV_TEST_ASYM_XML}
+
+    COMMAND openssl genpkey -algorithm RSA -outform PEM > /tmp/prvkey.pem
+    COMMAND openssl pkcs8 -topk8 -inform PEM -in /tmp/prvkey.pem -outform DER -nocrypt -out /tmp/prvkey
+    COMMAND openssl rsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_RSA_PKCS8_PRV -t Key -s RSA_PRV -x ${EIV_TEST_ASYM_XML}
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_RSA_PKCS8_PUB -t Key -s RSA_PUB -x ${EIV_TEST_ASYM_XML}
+
+    COMMAND openssl genpkey -genparam -algorithm DSA -pkeyopt dsa_paramgen_bits:1024 -pkeyopt dsa_paramgen_q_bits:160 > /tmp/params.pem
+    COMMAND openssl genpkey -paramfile /tmp/params.pem -outform DER > /tmp/prvkey
+    COMMAND openssl dsa -in /tmp/prvkey -inform DER -pubout -outform DER > /tmp/pubkey
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/prvkey -k /tmp/encryption_key -n TEI_DSA_PRV -t Key -s DSA_PRV -x ${EIV_TEST_ASYM_XML}
+    COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/ckm_initial_values -d /tmp/pubkey -k /tmp/encryption_key -n TEI_DSA_PUB -t Key -s DSA_PUB -x ${EIV_TEST_ASYM_XML}
+
+    COMMENT "Generating encrypted initial values test xml"
+    VERBATIM
+)
+
+ADD_CUSTOM_TARGET(TARGET_EIV_TEST_XML DEPENDS ${EIV_FILES})
+
+INSTALL(FILES ${EIV_FILES} DESTINATION ${CKM_TEST_DIR})
+
+# ckm-tests
  PKG_CHECK_MODULES(CKM_DEP
      REQUIRED
      libsmack
@@ -41,16 +101,20 @@ INCLUDE_DIRECTORIES(
  
  ADD_EXECUTABLE(${TARGET_CKM_PRIVILEGED_TESTS} ${CKM_SOURCES})
  
+ADD_DEPENDENCIES(${TARGET_CKM_PRIVILEGED_TESTS} TARGET_EIV_TEST_XML)
+
  TARGET_LINK_LIBRARIES(${TARGET_CKM_PRIVILEGED_TESTS}
      ${TARGET_CKM_TEST_COMMON}
      ${CKM_DEP_LIBRARIES}
      ${COMMON_TARGET_TEST}
  )
  
-INSTALL(TARGETS ${TARGET_CKM_PRIVILEGED_TESTS} DESTINATION bin)
-INSTALL(FILES ckm-tests-on-onlycap.sh
-    DESTINATION bin
-    PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE
-                GROUP_READ GROUP_EXECUTE
-                WORLD_READ WORLD_EXECUTE
+TARGET_COMPILE_DEFINITIONS(${TARGET_CKM_PRIVILEGED_TESTS}
+    PRIVATE EIV_PLAIN_MESSAGE="${EIV_PLAIN_MESSAGE}"
+    PRIVATE EIV_ENCRYPTED_MESSAGE_HEX="${EIV_ENCRYPTED_MESSAGE_HEX}"
+    PRIVATE EIV_MESSAGE_ENCRYPTION_IV="${EIV_MESSAGE_ENCRYPTION_IV}"
+    PRIVATE EIV_TEST_XML_FILENAME="${EIV_TEST_XML_FILENAME}"
+    PRIVATE EIV_TEST_ASYM_XML_FILENAME="${EIV_TEST_ASYM_XML_FILENAME}"
  )
+
+INSTALL(TARGETS ${TARGET_CKM_PRIVILEGED_TESTS} DESTINATION bin)
diff --git a/src/ckm/privileged/access_provider2.cpp b/src/ckm/privileged/access_provider2.cpp

index 58a98eb..2d98ace 100644 (file)
--- a/src/ckm/privileged/access_provider2.cpp
+++ b/src/ckm/privileged/access_provider2.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
  /*
   * @file        access_provider.cpp
   * @author      Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @author      Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
   * @version     1.0
   * @brief       Common functions and macros used in security-tests package.
   */
@@ -26,6 +27,7 @@
  #include <access_provider2.h>
  #include <tests_common.h>
  #include <ckm-common.h>
+#include <scoped_process_label.h>
  
  namespace {
  
@@ -59,6 +61,11 @@ AccessProvider::AccessProvider(const std::string &ownerId, int uid, int gid)
      applyAndSwithToUser(uid, gid);
  }
  
+AccessProvider::~AccessProvider()
+{
+
+}
+
  void AccessProvider::allowAPI(const std::string &api, const std::string &rule) {
      m_smackAccess.add(m_mySubject, api, rule);
  }
@@ -74,21 +81,11 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid)
  {
      RUNNER_ASSERT_MSG(m_inSwitchContext == false, "already switched context");
  
-    // get calling label
-    char* my_label = NULL;
-    RUNNER_ASSERT(smack_new_label_from_self(&my_label) > 0);
-    if(my_label)
-    {
-        m_origLabel = std::string(my_label);
-        free(my_label);
-    }
-    RUNNER_ASSERT(m_origLabel.size() > 0);
-
      RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
          "Error in smack_revoke_subject(" << m_mySubject << ")");
      apply();
-    RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_mySubject.c_str()),
-        "Error in smack_set_label_for_self.");
+
+    m_processLabel.reset(new ScopedProcessLabel(m_mySubject));
  
      m_origUid = getuid();
      m_origGid = getgid();
@@ -111,8 +108,7 @@ ScopedAccessProvider::~ScopedAccessProvider()
          RUNNER_ASSERT_MSG(0 == seteuid(m_origUid), "Error in setuid.");
          RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_mySubject.c_str()),
              "Error in smack_revoke_subject(" << m_mySubject << ")");
-        RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_origLabel.c_str()),
-            "Error in smack_set_label_for_self.");
+        m_processLabel.reset();
          m_inSwitchContext = false;
      }
  }
diff --git a/src/ckm/privileged/access_provider2.h b/src/ckm/privileged/access_provider2.h

index 30631be..d2e19b5 100644 (file)
--- a/src/ckm/privileged/access_provider2.h
+++ b/src/ckm/privileged/access_provider2.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -23,14 +23,17 @@
  #define _ACCESS_FOR_DUMMIES_H_
  
  #include <string>
+#include <memory>
  
  #include <smack_access.h>
  
+class ScopedProcessLabel;
+
  class AccessProvider {
  public:
      explicit AccessProvider(const std::string &ownerId);
      AccessProvider(const std::string &ownerId, int uid, int gid);
-    virtual ~AccessProvider() {}
+    virtual ~AccessProvider();
  
      AccessProvider(const AccessProvider &second) = delete;
      AccessProvider& operator=(const AccessProvider &second) = delete;
@@ -47,7 +50,7 @@ protected:
      std::string m_mySubject;
      uid_t m_origUid;
      gid_t m_origGid;
-    std::string m_origLabel;
+    std::unique_ptr<ScopedProcessLabel> m_processLabel;
      bool m_inSwitchContext;
  };
  
diff --git a/src/ckm/privileged/aes_128_cbc_encrypt.sh b/src/ckm/privileged/aes_128_cbc_encrypt.sh

new file mode 100755 (executable)

index 0000000..baad9a8
--- /dev/null
+++ b/src/ckm/privileged/aes_128_cbc_encrypt.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -euo pipefail
+
+if [ "$#" -ne 2 ]
+then
+    echo "$0 requires 2 arguments: key and IV"
+    exit 1
+fi
+
+KEY_HEX=`echo -n $1 | hexdump -e '/1 "%02x"'`
+IV_HEX=`echo -n $2 | hexdump -e '/1 "%02x"'`
+
+# encrypt | convert to hex
+echo -n 'ShortTestMessage' | openssl enc -aes-128-cbc -K $KEY_HEX -iv $IV_HEX | hexdump -e '/1 "%02x"'
+\ No newline at end of file
diff --git a/src/ckm/privileged/async-api.cpp b/src/ckm/privileged/async-api.cpp

index 683c405..69f090a 100644 (file)
--- a/src/ckm/privileged/async-api.cpp
+++ b/src/ckm/privileged/async-api.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Contact: Bumjin Im <bj.im@samsung.com>
   *
@@ -331,8 +331,8 @@ void test_negative(F&& func, int expected, Args... args)
      RUNNER_ASSERT_MSG(obs->m_finished, "Request is not finished!");
      RUNNER_ASSERT_MSG(
              obs->m_error == expected,
-            "Expected " << expected << "/" << CKMErrorToString(expected) <<
-            " got: " << obs->m_error << "/" << CKMErrorToString(obs->m_error));
+            "Expected " << expected << "/" << APICodeToString(expected) <<
+            " got: " << obs->m_error << "/" << APICodeToString(obs->m_error));
  }
  
  template <typename F, typename... Args>
@@ -352,7 +352,7 @@ MyObserverPtr test_positive(F&& func, Args... args)
  
      RUNNER_ASSERT_MSG(obs->m_finished, "Request is not finished!");
      RUNNER_ASSERT_MSG(obs->m_error == 0,
-                         "Request failed " << obs->m_error << "/" << CKMErrorToString(obs->m_error));
+                         "Request failed " << obs->m_error << "/" << APICodeToString(obs->m_error));
      return obs;
  }
  
diff --git a/src/ckm/privileged/capi-access_control.cpp b/src/ckm/privileged/capi-access_control.cpp

index f0328ed..db28b1c 100644 (file)
--- a/src/ckm/privileged/capi-access_control.cpp
+++ b/src/ckm/privileged/capi-access_control.cpp
@@ -37,6 +37,16 @@ const char* TEST_ALIAS2 = "test-alias2";
  const char* TEST_ALIAS3 = "test-alias3";
  
  const char* TEST_DATA = "dsflsdkghkslhglrtghierhgilrehgidsafasdffsgfdgdgfdgfdgfdgfdggf";
+const char* RSA_PUB_KEY_PEM =
+    "-----BEGIN PUBLIC KEY-----\n"
+    "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2b1bXDa+S8/MGWnMkru4\n"
+    "T4tUddtZNi0NVjQn9RFH1NMa220GsRhRO56F77FlSVFKfSfVZKIiWg6C+DVCkcLf\n"
+    "zXJ/Z0pvwOQYBAqVMFjV6efQGN0JzJ1Unu7pPRiZl7RKGEI+cyzzrcDyrLLrQ2W7\n"
+    "0ZySkNEOv6Frx9JgC5NExuYY4lk2fQQa38JXiZkfyzif2em0px7mXbyf5LjccsKq\n"
+    "v1e+XLtMsL0ZefRcqsP++NzQAI8fKX7WBT+qK0HJDLiHrKOTWYzx6CwJ66LD/vvf\n"
+    "j55xtsKDLVDbsotvf8/m6VLMab+vqKk11TP4tq6yo0mwyTADvgl1zowQEO9I1W6o\n"
+    "zQIDAQAB\n"
+    "-----END PUBLIC KEY-----";
  
  void allow_access_deprecated(const char* alias, const char* accessor, ckmc_access_right_e accessRights)
  {
@@ -889,3 +899,156 @@ RUNNER_TEST(T3145_control_deprecated_remove_allowed, RemoveDataEnv<APP_1>)
          check_remove_allowed(aliasWithLabel(APP_LABEL_1, TEST_ALIAS).c_str());
      }
  }
+
+RUNNER_TEST(utc_ckmc_get_key_alias_info_list_p)
+{
+    ckmc_alias_info_list_s* ppalias_list = NULL;
+
+    int ret = ckmc_get_key_alias_info_list(&ppalias_list);
+    ckmc_alias_info_list_all_free(ppalias_list);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " << CKMCErrorToString(ret));
+}
+
+RUNNER_TEST(utc_ckmc_get_key_alias_info_list_n)
+{
+    int ret = ckmc_get_key_alias_info_list(NULL);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret));
+}
+
+RUNNER_TEST(utc_ckmc_get_cert_alias_info_list_p)
+{
+    ckmc_alias_info_list_s* ppalias_list = NULL;
+
+    int ret = ckmc_get_cert_alias_info_list(&ppalias_list);
+    ckmc_alias_info_list_all_free(ppalias_list);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " <<  CKMCErrorToString(ret));
+}
+
+RUNNER_TEST(utc_ckmc_get_cert_alias_info_list_n)
+{
+    int ret = ckmc_get_cert_alias_info_list(NULL);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret));
+}
+
+
+RUNNER_TEST(utc_ckmc_get_data_alias_info_list_p1)
+{
+    ckmc_alias_info_list_s* ppalias_list = NULL;
+
+    int ret = ckmc_get_data_alias_info_list(&ppalias_list);
+    ckmc_alias_info_list_all_free(ppalias_list);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_DB_ALIAS_UNKNOWN, "Expected CKMC_ERROR_DB_ALIAS_UNKNOWN, returned: " <<  CKMCErrorToString(ret));
+}
+
+
+RUNNER_TEST(utc_ckmc_get_data_alias_info_list_p2, RemoveDataEnv<APP_1>)
+{
+    ScopedAccessProvider ap(APP_LABEL_1, APP_1, GROUP_1);
+    save_data(TEST_ALIAS, TEST_DATA);
+
+    ckmc_alias_info_list_s* ppalias_list = NULL;
+
+    int ret = ckmc_get_data_alias_info_list(&ppalias_list);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, returned: " <<  CKMCErrorToString(ret));
+
+    char* alias = NULL;
+    ret = ckmc_alias_info_get_alias(ppalias_list->info, &alias);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Failed to get alias, returned: " << CKMCErrorToString(ret));
+    RUNNER_ASSERT_MSG(ppalias_list->next == NULL, "More elements returned");
+    std::string aliasOrig =  std::string(APP_LABEL_1) + " " + std::string(TEST_ALIAS);
+    RUNNER_ASSERT_MSG(strcmp(alias, aliasOrig.c_str()) == 0, "Invalid aliast returned : " << alias);
+
+    ckmc_alias_info_list_all_free(ppalias_list);
+
+}
+
+
+RUNNER_TEST(utc_ckmc_get_data_alias_info_list_n)
+{
+    int ret = ckmc_get_data_alias_info_list(NULL);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_INVALID_PARAMETER, "Expected invalid parameter error, returned: " << CKMCErrorToString(ret));
+}
+
+RUNNER_TEST(utc_ckmc_alias_info_get_alias_p)
+{
+    ckmc_alias_info_list_s *ppalias_list, *tmp;
+    ckmc_key_s test_key;
+    ckmc_policy_s test_policy;
+    int ret;
+    char* current_alias;
+    const char* alias = "utc_ckmc_alias_info_get_alias_p_test_alias";
+    bool foundAlias = false;
+
+    test_key.raw_key =  (unsigned char *)RSA_PUB_KEY_PEM;
+    test_key.key_size = strlen(RSA_PUB_KEY_PEM);
+    test_key.key_type = CKMC_KEY_RSA_PUBLIC;
+    test_key.password = NULL;
+
+    test_policy.password = NULL;
+    test_policy.extractable = true;
+
+    ret = ckmc_save_key(alias, test_key, test_policy);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+
+    ret = ckmc_get_key_alias_info_list(&ppalias_list);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+
+    tmp = ppalias_list;
+
+    while (tmp) {
+        ret = ckmc_alias_info_get_alias(tmp->info, &current_alias);
+        RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+        if (strstr(current_alias, alias)) {
+            foundAlias = true;
+            break;
+        }
+        tmp = tmp->next;
+    }
+    ckmc_alias_info_list_all_free(ppalias_list);
+    ckmc_remove_key(alias);
+    RUNNER_ASSERT_MSG(foundAlias == true, "Expected to find alias, but alias not found");
+}
+
+RUNNER_TEST(utc_ckmc_alias_info_is_password_protected_p)
+{
+    ckmc_alias_info_list_s *ppalias_list, *tmp;
+    ckmc_key_s test_key;
+    ckmc_policy_s test_policy;
+    int ret;
+    char* current_alias;
+    const char* alias = "utc_ckmc_alias_info_get_alias_p_test_alias";
+    bool foundAlias = false;
+
+    test_key.raw_key =  (unsigned char *)RSA_PUB_KEY_PEM;
+    test_key.key_size = strlen(RSA_PUB_KEY_PEM);
+    test_key.key_type = CKMC_KEY_RSA_PUBLIC;
+    test_key.password = NULL;
+
+    test_policy.password = NULL;
+    test_policy.extractable = true;
+
+    ret = ckmc_save_key(alias, test_key, test_policy);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+
+    ret = ckmc_get_key_alias_info_list(&ppalias_list);
+    RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+
+    tmp = ppalias_list;
+
+    while (tmp) {
+        ret = ckmc_alias_info_get_alias(tmp->info, &current_alias);
+        RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+        if (strstr(current_alias, alias)) {
+            foundAlias = true;
+            bool is_password_protected;
+            ret = ckmc_alias_info_is_password_protected(tmp->info, &is_password_protected);
+            RUNNER_ASSERT_MSG(ret == CKMC_ERROR_NONE, "Expected no error, got " << CKMCErrorToString(ret));
+            RUNNER_ASSERT(is_password_protected == false);
+            break;
+        }
+        tmp = tmp->next;
+    }
+    ckmc_alias_info_list_all_free(ppalias_list);
+    ckmc_remove_key(alias);
+    RUNNER_ASSERT(foundAlias == true);
+}
diff --git a/src/ckm/privileged/cc-mode.cpp b/src/ckm/privileged/cc-mode.cpp

index b2b29db..eeddb27 100644 (file)
--- a/src/ckm/privileged/cc-mode.cpp
+++ b/src/ckm/privileged/cc-mode.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -34,6 +34,7 @@
  #include <ckm-common.h>
  #include <ckm/ckm-manager.h>
  #include <ckm/ckm-control.h>
+#include <scoped_process_label.h>
  
  using namespace CKM;
  using namespace std;
@@ -73,13 +74,13 @@ private:
  
  MdppState::MdppState()
  {
-    ScopedLabel sl(USER_LABEL);
+    ScopedProcessLabel spl(USER_LABEL);
      m_original = vconf_get_str(VCONFKEY_SECURITY_MDPP_STATE);
  }
  
  MdppState::~MdppState()
  {
-    ScopedLabel sl(USER_LABEL);
+    ScopedProcessLabel spl(USER_LABEL);
      if (!m_original)
          vconf_set_str(VCONFKEY_SECURITY_MDPP_STATE, UNSET);
      else {
@@ -89,7 +90,7 @@ MdppState::~MdppState()
  
  void MdppState::set(const char* const value)
  {
-    ScopedLabel sl(USER_LABEL);
+    ScopedProcessLabel spl(USER_LABEL);
      if (value)
      {
          int ret = vconf_set_str(VCONFKEY_SECURITY_MDPP_STATE, value);
@@ -121,7 +122,7 @@ void save_keys()
                  rsa_pub_alias,
                  Policy(Password(), true),
                  Policy(Password(), true))),
-            "Error=" << CKMErrorToString(temp));
+            "Error=" << APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createKeyPairECDSA(
@@ -130,14 +131,14 @@ void save_keys()
                  ecdsa_pub_alias,
                  Policy(Password(), true),
                  Policy(Password(), true))),
-            "Error=" << CKMErrorToString(temp));
+            "Error=" << APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createKeyAES(
                  aes_length,
                  aes_alias,
                  Policy(Password(), true))),
-            "Error=" << CKMErrorToString(temp));
+            "Error=" << APICodeToString(temp));
  }
  
  void read_key(ManagerShPtr& manager, const Alias& alias, int expected) {
@@ -145,8 +146,8 @@ void read_key(ManagerShPtr& manager, const Alias& alias, int expected) {
      int temp;
      RUNNER_ASSERT_MSG(
              expected == (temp = manager->getKey(alias, Password(), key)),
-            "Expected: " << expected << "/" << CKMErrorToString(expected) << " got: " << temp << "/" <<
-            CKMErrorToString(temp));
+            "Expected: " << expected << "/" << APICodeToString(expected) << " got: " << temp << "/" <<
+            APICodeToString(temp));
  }
  
  void read_keys(int expected)
@@ -167,7 +168,7 @@ void update_cc_mode()
      auto control = Control::create();
      int ret;
      RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (ret = control->updateCCMode()),
-                         "Error=" << CKMErrorToString(ret));
+                         "Error=" << APICodeToString(ret));
  }
  
  void restart_ckm(const char* const mdpp_setting)
diff --git a/src/ckm/privileged/ckm-privileged-common.cpp b/src/ckm/privileged/ckm-privileged-common.cpp

index 0c356e3..94070db 100644 (file)
--- a/src/ckm/privileged/ckm-privileged-common.cpp
+++ b/src/ckm/privileged/ckm-privileged-common.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -32,27 +32,6 @@ const char *SERVICE[] = {
      "central-key-manager.service"
  };
  
-void changeLabel(const char *label)
-{
-    int ret = smack_set_label_for_self(label);
-    RUNNER_ASSERT_MSG(0 == ret,
-            "Error in smack_set_label_for_self(" << label << "). Error: " << ret);
-}
-
-} // namespace anonymous
-
-ScopedLabel::ScopedLabel(const char *label) : m_original_label(getLabel())
-{
-    changeLabel(label);
-}
-
-ScopedLabel::~ScopedLabel()
-{
-    /*
-     * Let it throw. If we can't restore label then remaining tests results will be
-     * unreliable anyway.
-     */
-    changeLabel(m_original_label.c_str());
  }
  
  void start_service(ServiceIdx idx)
diff --git a/src/ckm/privileged/ckm-privileged-common.h b/src/ckm/privileged/ckm-privileged-common.h

index f70168a..bc49886 100644 (file)
--- a/src/ckm/privileged/ckm-privileged-common.h
+++ b/src/ckm/privileged/ckm-privileged-common.h
@@ -21,6 +21,16 @@
  #pragma once
  
  #include <string>
+#include <dpl/test/test_runner.h>
+
+#define RUNNER_TEST_DUMMY(Proc, ...) \
+    void Proc(std::tuple<__VA_ARGS__> &optionalArgsTuple DPL_UNUSED)
+
+#ifdef TZ_BACKEND
+#define RUNNER_TEST_TZ_BACKEND(...) RUNNER_TEST(__VA_ARGS__)
+#else
+#define RUNNER_TEST_TZ_BACKEND(...) RUNNER_TEST_DUMMY(__VA_ARGS__)
+#endif
  
  // service lifecycle management
  enum ServiceIdx {
@@ -30,14 +40,3 @@ enum ServiceIdx {
  
  void start_service(ServiceIdx idx);
  void stop_service(ServiceIdx idx);
-
-// changes process label upon construction and restores it upon destruction
-class ScopedLabel
-{
-public:
-    ScopedLabel(const char* label);
-    ~ScopedLabel();
-
-private:
-    std::string m_original_label;
-};
diff --git a/src/ckm/privileged/ckm-tests-on-onlycap.sh b/src/ckm/privileged/ckm-tests-on-onlycap.sh

deleted file mode 100644 (file)

index 570af4a..0000000
--- a/src/ckm/privileged/ckm-tests-on-onlycap.sh
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/sh
-
-# Copyright (c) 2016-2018 Samsung Electronics Co., Ltd All Rights Reserved
-#
-#    Licensed under the Apache License, Version 2.0 (the "License");
-#    you may not use this file except in compliance with the License.
-#    You may obtain a copy of the License at
-#
-#        http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS,
-#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#    See the License for the specific language governing permissions and
-#    limitations under the License.
-#
-# @file        ckm-tests-on-onlycap.sh
-# @author      Kyungwook Tak (k.tak@samsung.com)
-# @brief       Run ckm-tests on onlycap environment
-#
-
-# save old label and onlycap
-OLD_LABEL=`cat /proc/self/attr/current`
-OLD_ONLYCAP=`cat /sys/fs/smackfs/onlycap`
-
-# make sure we're in onlycap so original state can be restored later
-# (assume that OLD_LABEL is allowed to change the label)
-echo "System::Privileged" > /proc/self/attr/current || exit
-
-# push test app lables to onlycap label list
-echo "System::Privileged \
-      User::Pkg::test_label \
-      User::Pkg::test_label_2 \
-      User::Pkg::test_label_3 \
-      User::Pkg::test_label_4 \
-      User::Pkg::test_label_5 \
-      System" > /sys/fs/smackfs/onlycap || exit
-
-# set capability for changing smack label of self and add/remove smack rules
-setcap cap_mac_admin=eip /usr/bin/ckm-privileged-tests || exit
-
-# run test
-ckm-privileged-tests "${@}" # propagate all arguments
-
-# restore old onlycap
-echo -n $OLD_ONLYCAP > /sys/fs/smackfs/onlycap
-
-# restore old label
-# (assume that System::Privileged is allowed to do it with $OLD_ONLYCAP)
-echo $OLD_LABEL > /proc/self/attr/current
diff --git a/src/ckm/privileged/initial-values.cpp b/src/ckm/privileged/initial-values.cpp

index 34638fc..3953ac1 100644 (file)
--- a/src/ckm/privileged/initial-values.cpp
+++ b/src/ckm/privileged/initial-values.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2000 - 2015 Samsung Electronics Co.
+ *  Copyright (c) 2015 - 2019 Samsung Electronics Co.
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -15,6 +15,7 @@
   *
   * @file       system-db.cpp
   * @author     Maciej Karpiuk (m.karpiuk2@samsung.com)
+ * @author     Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
   * @version    1.0
   */
  #include <dpl/test/test_runner.h>
@@ -23,6 +24,7 @@
  #include <ckm-common.h>
  #include <ckm-privileged-common.h>
  #include <ckm/ckm-control.h>
+#include <ckm/ckm-manager.h>
  #include <ckmc/ckmc-manager.h>
  #include <access_provider2.h>
  #include <fstream>
@@ -35,8 +37,6 @@ const uid_t USER_APP            = 5070;
  const uid_t GROUP_APP           = 5070;
  const char* APP_PASS            = "user-pass";
  
-const char *XML_DEVICE_KEY              = "device_key.xml";
-
  const char *XML_1_okay                  = "XML_1_okay.xml";
  std::string XML_1_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test-key1");
  std::string XML_1_EXPECTED_KEY_1_PASSWD = "123";
@@ -46,11 +46,6 @@ std::string XML_1_EXPECTED_KEY_3_AES    = aliasWithLabel(ckmc_owner_id_system, "
  std::string XML_1_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test-cert1");
  std::string XML_1_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test-data1");
  const char *XML_1_EXPECTED_DATA_1_DATA  = "My secret data";
-// encrypted
-std::string XML_1_EXPECTED_KEY_3_RSA_PRV    = aliasWithLabel(ckmc_owner_id_system, "test-encryption-prv");
-std::string XML_1_EXPECTED_KEY_3_RSA_PUB    = aliasWithLabel(ckmc_owner_id_system, "test-encryption-pub");
-std::string XML_1_EXPECTED_ASCII_DATA       = aliasWithLabel(ckmc_owner_id_system, "test-ascii-data-encryption");
-std::string XML_1_EXPECTED_BIG_DATA         = aliasWithLabel(ckmc_owner_id_system, "test-binary-data-encryption");
  
  const char *XML_2_okay                  = "XML_2_okay.xml";
  std::string XML_2_EXPECTED_KEY_1_RSA    = aliasWithLabel(ckmc_owner_id_system, "test2-key1");
@@ -68,45 +63,57 @@ std::string XML_3_EXPECTED_KEY_2_RSA    = aliasWithLabel(ckmc_owner_id_system, "
  std::string XML_3_EXPECTED_CERT_1       = aliasWithLabel(ckmc_owner_id_system, "test3-cert1");
  std::string XML_3_EXPECTED_DATA_1       = aliasWithLabel(ckmc_owner_id_system, "test3-data1");
  
-std::string format_src_path(const char *file)
-{
-    return std::string(CKM_TEST_DIR) + std::string(file);
-}
-
-std::string format_dest_key_path(const char *file)
+auto format_dest_path(const char *file)
  {
-    return std::string(CKM_RW_DATA_DIR) + std::string(file);
+    return std::string(CKM_RW_DATA_DIR "/initial_values/") + file;
  }
  
-std::string format_dest_path(const char *file)
-{
-    return std::string(CKM_RW_DATA_DIR) + std::string( "/initial_values/") + std::string(file);
+void test_not_exists(const char *file) {
+    const auto name = format_dest_path(file);
+    const bool file_exists = access(name.c_str(), F_OK) != -1;
+    RUNNER_ASSERT_MSG(!file_exists, "File " << name << " exists");
  }
  
-void copy_file(const std::string &from, const std::string &to)
+void copy_file(const char *file)
  {
-    std::ifstream infile(from, std::ios_base::binary);
-    RUNNER_ASSERT_MSG(infile, "Input file " << from << " does not exist.");
-    std::ofstream outfile(to, std::ios_base::binary);
-    RUNNER_ASSERT_MSG(outfile, "Output file " << to << " does not exist. Reinstall key-manager.");
+    const auto src = std::string(CKM_TEST_DIR) + file;
+    const auto dest = format_dest_path(file);
+    std::ifstream infile(src, std::ios_base::binary);
+    RUNNER_ASSERT_MSG(infile, "Input file " << src << " does not exist.");
+    std::ofstream outfile(dest, std::ios_base::binary);
+    RUNNER_ASSERT_MSG(outfile, "Output file " << dest << " does not exist. Reinstall key-manager.");
      outfile << infile.rdbuf();
  }
  
-void restart_key_manager()
+void restart_key_manager(const std::initializer_list<const char * const> files_to_copy = {})
  {
      stop_service(MANAGER);
+    for (const auto f : files_to_copy)
+        copy_file(f);
      start_service(MANAGER);
  }
  
-void test_exists(const std::string& name, bool expected) {
-    bool file_exists = (access( name.c_str(), F_OK ) != -1);
-    RUNNER_ASSERT_MSG(file_exists == expected,
-                      "File " << name << " status: " << file_exists <<
-                      " while expected: " << expected);
+int hexToBin(char h) {
+    if (h >= '0' && h <= '9')
+        return h - '0';
+    if (h >= 'a' && h <= 'f')
+        return h - 'a' + 10;
+    if (h >= 'A' && h <= 'F')
+        return h - 'A' + 10;
+    RUNNER_ASSERT_MSG(false, "Input out of scope");
  }
  
+CKM::RawBuffer hexToBin(std::string &hex) {
+    CKM::RawBuffer output;
+    output.resize(hex.size()/2);
+    for (size_t i=0; i<output.size(); ++i) {
+        output[i] = hexToBin(hex[i*2])*16 +
+                    hexToBin(hex[i*2 + 1]);
+    }
+    return output;
  }
  
+} // namespace
  
  RUNNER_TEST_GROUP_INIT(T60_INITIAL_VALUES);
  
@@ -119,20 +126,10 @@ RUNNER_TEST(T6001_init)
      // restart the key-manager
      // check XML file doesn't exist
  
-    copy_file(format_src_path(XML_DEVICE_KEY), format_dest_key_path(XML_DEVICE_KEY));
-    copy_file(format_src_path(XML_1_okay), format_dest_path(XML_1_okay));
-    copy_file(format_src_path(XML_2_okay), format_dest_path(XML_2_okay));
-    copy_file(format_src_path(XML_3_wrong), format_dest_path(XML_3_wrong));
-
-    test_exists(format_dest_path(XML_1_okay), true);
-    test_exists(format_dest_path(XML_2_okay), true);
-    test_exists(format_dest_path(XML_3_wrong), true);
-
-    restart_key_manager();
-
-    test_exists(format_dest_path(XML_1_okay), false);
-    test_exists(format_dest_path(XML_2_okay), false);
-    test_exists(format_dest_path(XML_3_wrong), false);
+    const auto files = {XML_1_okay, XML_2_okay, XML_3_wrong};
+    restart_key_manager(files);
+    for (const auto f : files)
+        test_not_exists(f);
  }
  
  RUNNER_TEST(T6010_PARSE_XML_FILE_AT_STARTUP)
@@ -250,95 +247,75 @@ RUNNER_TEST(T6040_CHECK_KEYS_VALID)
      ckmc_buffer_free(signature);
  }
  
-RUNNER_TEST(T6050_ENCRYPTED_KEY)
+RUNNER_TEST(T6999_deinit)
  {
-    // [prepare]
-    // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
-    // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
-    // [test0]
-    // check if encrypted private key is present
-    // check if public key is present
-    // [test1]
-    // extract the private, encrypted key
-    // extract the public key
-    // create signature using the public key
-    // verify signature using the decrypted private key
+    remove_user_data(0);
+}
  
-    // [test0]
-    check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(), CKMC_KEY_RSA_PRIVATE);
-    check_key_allowed(XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(), CKMC_KEY_RSA_PUBLIC);
+RUNNER_TEST_TZ_BACKEND(T7000_Encrypted_initial_values, RemoveDataEnv<0>)
+{
+    int temp;
+    std::string messageHex = EIV_ENCRYPTED_MESSAGE_HEX;
+    std::string iv         = EIV_MESSAGE_ENCRYPTION_IV;
  
+    restart_key_manager({EIV_TEST_XML_FILENAME});
  
-    ckmc_raw_buffer_s msg_buff = prepare_message_buffer("Raz ugryzla misia pszczola..");
-    ckmc_hash_algo_e hash_algo = CKMC_HASH_SHA256;
-    ckmc_rsa_padding_algo_e pad_algo = CKMC_PKCS1_PADDING;
-    ckmc_raw_buffer_s *signature = NULL;
-    int temp;
-    RUNNER_ASSERT_MSG(
-            CKMC_ERROR_NONE == (temp = ckmc_create_signature(
-                    XML_1_EXPECTED_KEY_3_RSA_PRV.c_str(),
-                    NULL,
-                    msg_buff,
-                    hash_algo,
-                    pad_algo,
-                    &signature)),
-            CKMCReadableError(temp));
+    CKM::CryptoAlgorithm algo;
+    CKM::RawBuffer messageBin = hexToBin(messageHex);
+    CKM::RawBuffer ivBin(iv.begin(), iv.end());
+    CKM::RawBuffer decrypted;
  
-    // invalid password
-    RUNNER_ASSERT_MSG(
-            CKMC_ERROR_NONE == (temp = ckmc_verify_signature(
-                        XML_1_EXPECTED_KEY_3_RSA_PUB.c_str(),
-                        NULL,
-                        msg_buff,
-                        *signature,
-                        hash_algo,
-                        pad_algo)),
-                CKMCReadableError(temp));
+    algo.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::AES_CBC);
+    algo.setParam(CKM::ParamName::ED_IV, ivBin);
  
-    ckmc_buffer_free(signature);
+    auto mgr = CKM::Manager::create();
+    RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->decrypt(algo, "/System TEI_0", CKM::Password(), messageBin, decrypted)), "Failed to decrypt " << CKM::APICodeToString(temp));
+    RUNNER_ASSERT_MSG(std::string(decrypted.begin(), decrypted.end()) == EIV_PLAIN_MESSAGE, "Data does not match");
  }
  
-RUNNER_TEST(T6060_ENCRYPTED_ASCII_DATA)
+RUNNER_TEST_TZ_BACKEND(T7010_Encrypted_initial_values_asymmetric, RemoveDataEnv<0>)
  {
-    // [prepare]
-    // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
-    // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
-    // [test0]
-    // extract data
-    // check if data matches the expected size and content
-
-    // [test0]
-    ckmc_raw_buffer_s *testData1;
+    restart_key_manager({EIV_TEST_ASYM_XML_FILENAME});
+    constexpr char testDataStr[] = "test-data";
+    const CKM::RawBuffer testData(testDataStr, testDataStr+sizeof(testDataStr)-1);
+    CKM::RawBuffer encrypted, decrypted, signature;
+    CKM::CryptoAlgorithm algoRsa;
+    algoRsa.setParam(CKM::ParamName::ALGO_TYPE, CKM::AlgoType::RSA_OAEP);
+
+    auto mgr = CKM::Manager::create();
      int temp;
-    RUNNER_ASSERT_MSG(
-            CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_ASCII_DATA.c_str(), NULL, &testData1)),
-            CKMCReadableError(temp));
-    size_t expected_len = 15;
-    RUNNER_ASSERT_MSG(expected_len /* src/ckm/keys/EIV/ascii_data */ == testData1->size, "invalid data size");
-    RUNNER_ASSERT_MSG(memcmp(reinterpret_cast<char*>(testData1->data), "My secret data\n", expected_len) == 0, "invalid data contents");
-    ckmc_buffer_free(testData1);
-}
  
-RUNNER_TEST(T6070_ENCRYPTED_BIG_DATA)
-{
-    // [prepare]
-    // to encrypt using RSA OAEP:  openssl rsautl -encrypt -oaep -pubin -inkey pub.key -in input.txt -out cipher.out
-    // to decrypt RSA OAEP cipher: openssl rsautl -decrypt -oaep -in cipher.out -out plaintext -inkey priv.key
-    // [test0]
-    // extract data
-    // check if data matches the expected size
-
-    // [test0]
-    ckmc_raw_buffer_s *testData1;
-    int temp;
-    RUNNER_ASSERT_MSG(
-            CKMC_ERROR_NONE == (temp = ckmc_get_data(XML_1_EXPECTED_BIG_DATA.c_str(), NULL, &testData1)),
-            CKMCReadableError(temp));
-    RUNNER_ASSERT_MSG(5918 /* src/ckm/keys/EIV/code.png */ == testData1->size, "invalid data size");
-    ckmc_buffer_free(testData1);
-}
+    #define MGR(OP, ...) do { RUNNER_ASSERT_MSG(CKM_API_SUCCESS == (temp = mgr->OP(__VA_ARGS__)), "Failed to " #OP " " << CKM::APICodeToString(temp)); } while (0)
  
-RUNNER_TEST(T6999_deinit)
-{
-    remove_user_data(0);
+    const auto rsaCrypt = [&](auto pub, auto prv) {
+        MGR(encrypt, algoRsa, pub, CKM::Password(), testData, encrypted);
+        RUNNER_ASSERT_MSG(testData != encrypted, "Data not encrypted");
+        MGR(decrypt, algoRsa, prv, CKM::Password(), encrypted, decrypted);
+        RUNNER_ASSERT_MSG(testData == decrypted, "Data does not match");
+    };
+
+    rsaCrypt("/System TEI_RSA_PUB", "/System TEI_RSA_PRV");
+    rsaCrypt("/System TEI_RSA_PKCS8_PUB", "/System TEI_RSA_PKCS8_PRV");
+
+    const auto sign = [&](auto prv, auto pub, auto hash, auto pad) {
+        MGR(createSignature, prv, CKM::Password(), testData, hash, pad, signature);
+        MGR(verifySignature, pub, CKM::Password(), testData, signature, hash, pad);
+    };
+
+    constexpr auto rsaHashAlgo = CKM::HashAlgorithm::SHA512;
+    constexpr auto rsaPaddingAlgo = CKM::RSAPaddingAlgorithm::X931;
+    sign("/System TEI_RSA_PRV", "/System TEI_RSA_PUB", rsaHashAlgo, rsaPaddingAlgo);
+    sign("/System TEI_RSA_PKCS8_PRV", "/System TEI_RSA_PKCS8_PUB", rsaHashAlgo, rsaPaddingAlgo);
+    sign("/System TEI_DSA_PRV", "/System TEI_DSA_PUB", CKM::HashAlgorithm::SHA1, CKM::RSAPaddingAlgorithm::NONE);
+
+    #undef MGR
  }
+
+/* TODO
+ * - RW/RO location support (files removal, flag handling)
+ * - item overwrite
+ * - backend attribute support
+ * - independent tests
+ * - different formats (also encrypted)
+ * - complex tests using ckm-initial-values tool
+ */
diff --git a/src/ckm/privileged/main.cpp b/src/ckm/privileged/main.cpp

index b652a23..f750ebe 100644 (file)
--- a/src/ckm/privileged/main.cpp
+++ b/src/ckm/privileged/main.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2016-2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -102,10 +102,10 @@ RUNNER_TEST(T1511_insert_data)
          int status2 = manager->saveCertificate(certimAlias, certim, CKM::Policy());
          RUNNER_ASSERT_MSG(
              CKM_API_ERROR_DB_ALIAS_EXISTS == status1,
-            "Certificate should be in database already. Error=" << CKMErrorToString(status1));
+            "Certificate should be in database already. Error=" << CKM::APICodeToString(status1));
          RUNNER_ASSERT_MSG(
              CKM_API_ERROR_DB_ALIAS_EXISTS == status2,
-            "Certificate should be in database already. Error=" << CKMErrorToString(status2));
+            "Certificate should be in database already. Error=" << CKM::APICodeToString(status2));
      }
  }
  
@@ -138,12 +138,12 @@ RUNNER_CHILD_TEST(T1702_insert_data)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == status1,
-        "Could not put certificate in datbase. Error=" << CKMErrorToString(status1));
+        "Could not put certificate in datbase. Error=" << CKM::APICodeToString(status1));
  
      CKM::AliasVector av;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getCertificateAliasVector(av)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          (current_aliases_num+1) == static_cast<size_t>(temp = av.size()),
          "Vector size: " << temp << ". Expected: " << (current_aliases_num+1));
@@ -155,7 +155,7 @@ RUNNER_TEST(T1703_removeApplicationData)
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = control->removeApplicationData(TEST_LABEL)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  }
  
  RUNNER_CHILD_TEST(T1704_data_test)
@@ -169,7 +169,7 @@ RUNNER_CHILD_TEST(T1704_data_test)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getCertificateAliasVector(av)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          0 == (temp = av.size()),
          "Vector size: " << temp << ". Expected: 0");
@@ -187,23 +187,23 @@ RUNNER_TEST(T17101_init)
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = control->lockUserKey(USER_TEST+2)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = control->removeUserData(USER_TEST+2)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = control->unlockUserKey(USER_TEST+2, "t1706-special-password")),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = control->lockUserKey(USER_TEST+3)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = control->removeUserData(USER_TEST+3)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
           CKM_API_SUCCESS == (tmp = control->unlockUserKey(USER_TEST+3, "t1706-special-password")),
-         "Error=" << CKMErrorToString(tmp));
+         "Error=" << CKM::APICodeToString(tmp));
  }
  
  RUNNER_CHILD_TEST(T17102_prep_data_01)
@@ -222,7 +222,7 @@ RUNNER_CHILD_TEST(T17102_prep_data_01)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveData("data1", buffer, exportable)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_CHILD_TEST(T17103_prep_data_02)
@@ -241,7 +241,7 @@ RUNNER_CHILD_TEST(T17103_prep_data_02)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveData("data2", buffer, exportable)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_CHILD_TEST(T17104_prep_data_03)
@@ -260,7 +260,7 @@ RUNNER_CHILD_TEST(T17104_prep_data_03)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveData("data3", buffer, exportable)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_CHILD_TEST(T17105_prep_data_04)
@@ -279,7 +279,7 @@ RUNNER_CHILD_TEST(T17105_prep_data_04)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveData("data4", buffer, exportable)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T17106_remove_application)
@@ -289,10 +289,10 @@ RUNNER_TEST(T17106_remove_application)
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = control->lockUserKey(USER_TEST+3)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = control->removeApplicationData(TEST_LABEL)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  }
  
  RUNNER_CHILD_TEST(T17107_check_data_01)
@@ -306,7 +306,7 @@ RUNNER_CHILD_TEST(T17107_check_data_01)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getDataAliasVector(av)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          0 == (temp = av.size()),
          "Vector size: " << temp << ". Expected: 0");
@@ -323,7 +323,7 @@ RUNNER_CHILD_TEST(T17108_check_data_02)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getDataAliasVector(av)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          1 == (temp = av.size()),
          "Vector size: " << temp << ". Expected: 1");
@@ -336,7 +336,7 @@ RUNNER_TEST(T17109_unlock_user2)
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
           CKM_API_SUCCESS == (tmp = control->unlockUserKey(USER_TEST+3, "t1706-special-password")),
-         "Error=" << CKMErrorToString(tmp));
+         "Error=" << CKM::APICodeToString(tmp));
  }
  
  RUNNER_CHILD_TEST(T17110_check_data_03)
@@ -351,7 +351,7 @@ RUNNER_CHILD_TEST(T17110_check_data_03)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getDataAliasVector(av)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          0 == (temp = av.size()),
          "Vector size: " << temp << ". Expected: 0");
@@ -369,7 +369,7 @@ RUNNER_CHILD_TEST(T17111_check_data_04)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getDataAliasVector(av)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          1 == (temp = av.size()),
          "Vector size: " << temp << ". Expected: 1");
diff --git a/src/ckm/privileged/system-db.cpp b/src/ckm/privileged/system-db.cpp

index bf920fe..e9c7a5d 100644 (file)
--- a/src/ckm/privileged/system-db.cpp
+++ b/src/ckm/privileged/system-db.cpp
@@ -43,6 +43,7 @@ const char* APP_PASS            = "user-pass";
  
  const char* TEST_ALIAS          = "test-alias";
  const char* INVALID_LABEL       = "coco-jumbo";
+const char* TEST_PASSWORD       = "ckm-password";
  std::string TEST_SYSTEM_ALIAS   = sharedDatabase(TEST_ALIAS);
  std::string TEST_SYSTEM_ALIAS_2 = sharedDatabase("test-alias-2");
  
@@ -543,3 +544,49 @@ RUNNER_TEST(T5045_SYSTEM_DB_ADD_WITH_INVALID_LABEL, RemoveDataEnv<0>)
      save_data(aliasWithLabel(SYSTEM_LABEL, TEST_ALIAS).c_str(), TEST_DATA);
      check_read(TEST_ALIAS, SYSTEM_LABEL, TEST_DATA);
  }
+
+RUNNER_TEST(T5046_CLIENT_GET_ALIAS_STATUS_NO_PASSWORD, RemoveDataEnv<0>)
+{
+    // [prepare]
+    // start as system service
+    // add data A to the system DB
+    // add data B to the system DB
+    // [test]
+    // system service list alias status - expect both items to have no password protection
+
+    // [prepare]
+    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
+    save_data(TEST_SYSTEM_ALIAS_2.c_str(), TEST_DATA);
+
+    // [test]
+    CKM::AliasPwdVector aliasPwdVector;
+    aliasPwdVector.push_back(std::make_pair(TEST_SYSTEM_ALIAS.c_str(), false));
+    aliasPwdVector.push_back(std::make_pair(TEST_SYSTEM_ALIAS_2.c_str(), false));
+
+    check_alias_info_list(aliasPwdVector);
+}
+
+RUNNER_TEST(T5047_CLIENT_GET_ALIAS_STATUS_PASSWORD_PROTECTED, RemoveDataEnv<0>)
+{
+    // [prepare]
+    // start as system service
+    // add data A to the system DB
+    // add data B with password protection to the system DB
+    // add data C with password protection to the system DB
+    // [test]
+    // system service list alias status - expect: first alias - no password protection, second, third -
+    // protected with password
+
+    // [prepare]
+    save_data(TEST_SYSTEM_ALIAS.c_str(), TEST_DATA);
+    save_data(TEST_SYSTEM_ALIAS_2.c_str(), TEST_DATA, strlen(TEST_DATA), TEST_PASSWORD);
+    save_data((TEST_SYSTEM_ALIAS_2 + "1").c_str(), TEST_DATA, strlen(TEST_DATA), TEST_PASSWORD);
+
+    // [test]
+    CKM::AliasPwdVector aliasPwdVector;
+    aliasPwdVector.push_back(std::make_pair(TEST_SYSTEM_ALIAS.c_str(), false));
+    aliasPwdVector.push_back(std::make_pair(TEST_SYSTEM_ALIAS_2.c_str(), true));
+    aliasPwdVector.push_back(std::make_pair((TEST_SYSTEM_ALIAS_2 + "1").c_str(),true));
+
+    check_alias_info_list(aliasPwdVector);
+}
diff --git a/src/ckm/resource/XML_1_okay.xml b/src/ckm/resource/XML_1_okay.xml

index 92fe3fd..e40a026 100644 (file)
--- a/src/ckm/resource/XML_1_okay.xml
+++ b/src/ckm/resource/XML_1_okay.xml
@@ -1,18 +1,5 @@
  <?xml version="1.0" encoding="UTF-8"?>
-<InitialValues version="1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="initial_values.xsd">
-  <!-- if EncryptionKey present, the content is an AES key encrypted using device key.
-       The format is Base64(encrypt(AES_key_binary))
-       i.e.:
-           * RSA-OAEP encrypt AES key: openssl rsautl -encrypt -oaep -pubin -inkey device.pub -in encryption_AES_key -out encryption_AES_key.encrypted
-           * encode base64: openssl enc -base64 -in encryption_AES_key.encrypted -->
-  <EncryptionKey>
-      QL/5RW1VfS1uya04CWkVy1eykdhnRaTFiQ6Lcv0XFYhqgUKp6+PxxT1xjaz8TCVp
-      UcKorZayMPCuStRAylViZfxHFhXKR3awH+FcnGMZrhV6kORy39YCba0NGc5eAk3s
-      CBPYdRRiV7ejJSOI8n3zFjituVhHLcLuZB6xHvQQpQFFYV0BuF3BXfx6roP4+Olj
-      bZ1fYDrj8QIzqi3RV/ORGbl1BqHVRoMN/5XB+8oVKVn/EMRZPao4hnkV3pTI01Ss
-      Wid4fIHzBpi8rkkxr80/ym2BkeA/piaPNGOQtKjVfBOn/SuR2LQJreG6QbI6MYXC
-      ZVOanzc0euaenw1q9b+yEQ==
-  </EncryptionKey>
+<InitialValues version="2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="initial_values.xsd">
    <Key name="test-key1" type="RSA_PUB" password="123">
      <PEM>
        -----BEGIN PUBLIC KEY-----
@@ -113,192 +100,4 @@
      <Permission accessor="test_label"/>
      <Permission accessor="test_label_2"/>
    </Key>
-  <!-- key below is encrypted using AES-CBC algorithm.
-     The key used is decrypted <EncryptionKey> provided above.
-     Encryption:
-       * encrypt AES CBC: openssl aes-256-cbc -K `xxd -p -c 64 encryption_AES_key` -iv `xxd -p -c 64 encryption_AES_IV` -e -in data -out data.enc
-  -->
-  <Key name="test-encryption-prv" type="RSA_PRV" exportable="true">
-    <EncryptedDER IV="X1RoaXNJc0lWRm9yQUVTXw==">
-      BflJyNgOcGyJSqTegG+y7MJXI1crgsGY3PjFfMpbmMbwJkVexvxoEPdf2yE5Z7da
-      6Vp4Qo2WOCUv/hllNTfm/dH7kOJOjcs/vaV1eRIfzEx3hvgKOyP82Hhkm1POynsF
-      0GyMm/VwtJFwFHA5DaJzwLln2/AoD//vC731Qhucw0Zvi2hi74d6igPog9EugIj/
-      tStvpgiNE6/Hb2ZRMDswgZ8o+tKCn+QHktR/YoZ19HfX7nDVRkMQxsiA8P4zO9Do
-      +iuiu/mGPVavlZA3df47TLG0kz+sz72jzPeEbfmvQo3gHWSuJ87TUwIcIoXDvaxY
-      xE8/On5OTqJy8HZ+jGvEThKI/96LQsFqKlEeGGenvzVJ+BVAF9x65uOkRll9yE6v
-      FIQcqbgipuBkdC6XLLaWTMgs5iiWvMn/lpNYrfZr52/TKqr09mNdei6yGvy+YuG8
-      vu/xN7/3An/zE4FOIJadgI5eADj+Dz7exml3tKTuuDpR9fhxiXd7HmZhCCf11C3r
-      54S6X9bZb7335L/5UfLxs4jMMfGhYD+1UF1Qb5zVW9IVMZ+owGeC6QQPUiX6HAxy
-      Rx7kLzd78uSbLNqeuiUeGiprxnuwMY2BgSqLq4WNCDWxY4hGTdkC7yg6DgY+L9Lz
-      wqVuJ6STmK9Hj9bL9YUe0KrzmVUfmsaq5PL+gfcv+S5lp2YlKw1cIVP9utw1ZuOo
-      j25EozWU8J+tuEa3l60Mmmh/sKzH9SH7C9EscwTYWOYjYYPwfCM9UIlNE9lnbl9s
-      bzkqJvaaXpB/HVY/b4wrldr1rK73+y9LOOzfNpV4L+R4spZXXjZ2HIW/iKQj/c14
-    </EncryptedDER>
-  </Key>
-  <Key name="test-encryption-pub" type="RSA_PUB" exportable="true">
-    <PEM>
-      -----BEGIN PUBLIC KEY-----
-      MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMP6sKttnQ58BAi27b8X+8KVQt
-      JgpJhhCF0RtWaTVqAhVDG3y4x6IuAvXDtPSjLe/2E01fYGVxNComPJOmUOfUD06B
-      CWPYH2+7jOfQIOy/TMlt+W7xfou9rqnPRoKRaodoLqH5WK0ahkntWCAjstoKZoG+
-      3Op0tEjy0jpmzeyNiQIDAQAB
-      -----END PUBLIC KEY-----
-    </PEM>
-  </Key>
-  <Cert name="test-encryption-certificate" exportable="true">
-    <!-- Note IV differs between items -->
-    <EncryptedDER IV="SVZkaWZmZXJzRnJJdGVtcw==">
-      pPjY7wULPaBIwPKkgwKyKSZPa6NVJN3312q829KaXcNdQSoNJmsyyPDMqLr1W3Nw
-      /5DSfstMCh/MiUq4Dc1VCaHbVkRFVZMvitg7nfjDVkI9HGLpSGWzz1dc6kxn/rPv
-      l1Ox3sVog96Ebss+Givm4cKKYSQihCLTxcQcP6v4RGvTMhXIZmlz8n4Tr3MgyRB7
-      XTWdoowosEUWrzPMSD39y18gRJVZ/ZKv68o5mntatSE8FS1L6dgb2TdKEFdydVd2
-      /ob9GVwRkMxpBsQeUvPRYXnZS2f1L18IRPrKLKLKsDB+FysyXMAHMaxGWWil29/d
-      osOwMt34i6Bv21132lGt08t2LebmDJViZRVjzz9edIChBzsoG/E/3hX6v32ruJGU
-      2kq5l0bOmpQFs9M0TTNNWnaZKvpFPA8b3ywaDRWeKAPHsNQpnrx0WygCmvbjUChf
-      TP1E5BVm6YjWxptvFvEINcotCj2+0fvG3zIcq01O/MpSFWbGdu9MLZtFl1rTRt8e
-      ER8+nOKZNi9JUOfsYJyrZmtwm56LXTPjgNYY+a8yp2EXFtHjO62QKYr8zAi98PxL
-      oiELHLF2xwFufvBAssSOPwRmDSIhljPbUy4UKUxFCeMJzdxgK0DMZw4FtcyBXGgG
-      ABP57OQ60HomoZZDwAQ/4B8unuOCp7uERsQH5Z4Ns+PiIM4Tk8j9Qg4YVN43FJtJ
-      tCsfagBPuQM+Cm5law0Y01asMr0wq/VlILMKX0KXpwgnVmQClRfcYBLHQmDTyCos
-      kYSWrSYDesvXJnB1j/hn1puCQHfyrmPH5fQTzanD5whyed7DeXBl+F5+f73uj9pC
-      DrtqG+YEOeJNj0PCAMq9B4Qe6xi06P6D/sG17Phl9wH5DSzfxxlst1xeaPBko9Bo
-      LM6Sh6echKIh0HddStmaBICXNeVKz958tD0piVYMVipZm5/+cpDxdGSuemUxWXJO
-      XAuYydZkuLksYjLyXDO5vEaqcVMtu54tjfdFS7vO87a9IF+mI7HHHdnNaDRHaAFi
-      4rXdaGQr8zohq91NE3JYgSMbk1DlGfL1m9GN6IEUjqMQlAkGWal1Et9uwO98PpOk
-      a+r+N4lsYPKJbX2ywUvDHg==
-    </EncryptedDER>
-  </Cert>
-  <Data name="test-ascii-data-encryption" exportable="true">
-    <!-- this below decrypts to ASCII: "My secret data" -->
-    <EncryptedASCII IV="X19hbm90aGVyX0lWXzJfXw==">zuBDjp8ptFthrU69Ua5cfg==</EncryptedASCII>
-  </Data>
-  <Data name="test-binary-data-encryption" exportable="true">
-    <!-- this below decrypts to small PNG image -->
-    <EncryptedBinary IV="UE5HSVZQTkdJVlBOR0lWUA==">
-      weK/LmGIPHeNA2YipqJa4K1+KPkE/Jl5EtfJjzP5x5ZGhf/OOTYe+fj4p2Wx47AC
-      Nd/heOAi3MkFrwu5x+swFMIeQMCMzQpRbXeCvTEuTXWnmRMoyMbHlPd7Nnk9xooF
-      oYfbKhVd5DOcHN3pwc+5DQkrRy/XaD1faj3YR3JEYSfOLq4F6hLlj4U7rYJyyFuf
-      kSBOTAQOXs0q83cc2L7RaK7OzFJPKYJjDkVYIakpIHXUcvNrb2DrJ13se4pcX6Zk
-      KARviziVu4x9r7hTRErU8SNEWrO6E63oDfyetWvtymT17MEhRsRKS39zhrVLHzGy
-      iWx2Igh6eH6t4UNkMIHZvJW4j8hxdmbRwhQstXrVq7Uyne0B1Fl2w7Lpn48jYEq8
-      gaNlTZDzd8Pjz2ByrRq3/jln/xWnFwEY9oV/H53j6ctoJ2KUMiVYKej8anan8Fju
-      yO86HVEIYx++LblhqzuaqBhveVfB/feMYWpP8hi4AeWKcAGdM3L9QOYxbQ9OAOuC
-      Totu55NULkrzb5b+Rr+exTFpdEyic7sSEpBRV0vi6t/Lz72ebBq1oY3kn0dzZ6Ps
-      ia6ccITSdHW1MmW7cOkiA4XtyfvXtZtEJgmVnAnRrj4Qh0Oa9gxNOZrY/tlyyJod
-      v8JLYeBi3HRSlm2TME5hCHpBShVCRpkjLMQQ/nTPHvRNqr/BlPoXZg2FbJwreEzW
-      NZ2BaiKylRds5gnmmSnqnYUl4QtVSGsJPn8Hx0bNWwUeImjrXO9Nm01P8e5Iy+Ti
-      udxXTwpxZGyK2pbTs6EVxFY+fRF3SB4xcpup5fB6NHVPjiSrWABN848OReny3iS0
-      FXwimWaVzmA5Ppnfqx1HGopmhH++oZyKt8W/f8GbhOffON0Gg3bsewhysW5Rz+Rx
-      IAGqzV5RR1lOb+UKPBI2OPXqYUWZ9ipicSw1LC39olImBZbDmmxLDEjX5r+rg77h
-      ss0hG/6847KQybmemJ7zUVE2oxmic2fONpgjn3OLecOZpUY/5n/1cvN8utLBJ2nx
-      asan7zBT+nW5RjAny8pOyyV1Ux2qga/CyV46LajHJiFPokAAl6JnDYRmahtA5BM0
-      +jBvvnvSDGSM5qTh0EBLIN50WmN2TeEy/u2ZjuHFwJ41gtB6pARdJ1OT59+g5TcA
-      Ffc8twDzdbPbmWq8CGXVQHCvfS+2N2ECjwgnfVL1UZF69d5t9b5ysK17pU+ITPyI
-      Bxxde23I6U7sh2owrZgRAOVoA804flRg6g6rDJyVfu00oDkuui+Z/3RAsu6EiqiK
-      XISmLg236iumsxXcdAtOYyXn0nPZolsZnxzY2/bI0Df7rNSQ7RF5SSqhkFg1+OYT
-      gM4wMYYU0ts9jqr3ckJRWMRMdJxRsVVqSBo4fz8M5/dXMsOvGbLfnbwrqZSPCXrg
-      g+MX3QQdemmOgiEAGE+hxFBQMyQ6nIrDP061F4TVVhu4kGkZGxs/2W+CcQJT0aF8
-      DC0EwfEBVP8yq4ytCU7Js72KkA4YsK2udUsQF/90cuzPSgT8FPDEOzszKsLGuct4
-      T7Fj2Du1bVeVq4gPfdLgOdVRrZLab6vS5GFbli8UO0oAbM/Srxfh2Ghn4zS7Ol3q
-      MnwX36r3+KFNJYkBxCDMNEnj/QrSWpOlKo8LfAyGdvP/29CpmzPIGTUc1u8xZpJ0
-      CmFOaxjaAFJH3BjW625QbcicOnN02p0Pv00andcDNEO4k3b3MgW6yjkDBKqQ61dz
-      traH19g0fFa0pjXycMqy2uwq7PhLW0QqYt4Q7cfvWRMnAOwJqhHOGGyzEixB1U5c
-      q4d8izdqb0JacE6px+WJ44a530L1nhy2O5jpaKVQmNYIKTBM+HYVuHNWTWmnauKP
-      ag4q8G+9EI/SRp9wKoGy81W5GwonV3D6/4N9hnQfqqRKUrbrhWc9NcUciWKh4b1n
-      Om499jdDw+7qXipi3ggPCFq0H3b9CPkKMFh4Y/YDy1SvXEDSlwJ4bXXakOpVzW9t
-      gDxk/fvZ8AHrFAYzW1wiDFZ8H5ZnhgBMyfztLOYBbjr5YSGej++Sq0DYoOkrK4X3
-      7+2nMrrhqmlukI7ufoP+8nsJjHdQK8yoQYGmwEEw9QHLyupqPVIQrO/VDgSN+6mW
-      YsulTKW9wPhk6dvsSMOscLUdDiOTeK0jGH7Qa6QQwk/u/agHSPWh7qLpEICjKBxx
-      pOMbZ3mGqTXIj+7tG0yO1/y2UXE6JTIXiMEvMmdCEiRcz1RJ6xx/aBwC2//tfiys
-      nNMswTCXePtv5P9Zn+ibIiOhpm0napHopQcqmevn/DSkxSuDfwevae3bgEcJ1gN9
-      pkTnOm22CQzoGJY/b0wgNvxXdWhAAfeRhzpdh3V1C4dZEF8VXHDDt5gdjb0s1fNI
-      2LiSruLVdAWmRNX5mrkUFfBOzWwsN3D34pG2Vaj6GuH8mAoko68oy6fUdjCjZooY
-      hn+u5bGm1T8Mf/YYloTWg4hlOWIEfOiLP7nCdCgRdsg+y0Gi5MY04fS29SlfffUp
-      VUdLzQAij+a/wbBLJZMLzJiYeHv+pFY6m1SbMoUsDbAo4PTRaLHmMOFKa6s/hlka
-      lfN408DHSNs63Gd6s3W+Owe5hMccfKyRvWdNRVrXBe39I101Sci7GwWAvHhhS9EP
-      2HxxNyiwF1OCovnRHcm1b8Fcd42gbAveRVuFdI96dbFIeP0Z4I2gj+nk/yzlsG32
-      LYYzE9D4WR2zjrTyVnylsJN76lyvjvkYjMt7fPt7lFYz7QLdZX8riGxqeFmim6Sk
-      UQ4RXxw/ObCw4omILxvgigW+eAhgng63Yb9mRDOrqk/cL5XECiahSs3VWTjV9sy2
-      rNSPViWZW/LFOjuC3cT5rWEbc64cl0eKJTivEangOXxirRGW1ltTlzQo5kA933l/
-      sRMr2tBSrX/+LqfPWNA8UZWSdMBcc0oDvDGrpTUtLcor5kshYN7PPdaR9TAf8ikY
-      631mOef0HkQFsBUCFp9sr6QJD0/cfLlK5iLlyt+qFo2IgX2boddFwMtpYCt1+Uy1
-      H2u6FuItIfpRu9lZ7MZf24HGibGx5/fzTXjqGMObPOaoLxI4eh1GGhIfVqmT9ntv
-      e2xHoNH+tLxOHPRNHEkKRtJoB1HH20+mT6JzEdPNPmsdTcN4R0xjw0ZHTha2iBkt
-      ocGow+1nYgkoieq1QweEbbCbF71XtUpyMxMSd+BAPIJJReRGvt3mD9RZ54HqlczW
-      MA0LYe1rUX0Mh2Ic0x1rXZuo33PXcsKsUpfb+EIPhBjpx2vCNMiFPcM+F0NVh/PP
-      zgbdjlnHr6DXn3rut6Y9fTau6UY8BmeOjG4LcNzcvcHHr9/8jXyW9wWAYYVRUI3J
-      89/GR+YxW4WGuRBIV+wMkzBJmP7QDwAedSNBSAKa+08GKfJJRL2zIVgjffeBO+Un
-      TMTT7Q/a3bm+yekGsM6bchWTpY2ywdYQr936D55THonqCGlvPKyVHQaEa4U2eFDb
-      aIH84kP4olPCcC+TmWHBeBwMGvbW160hRCr3kSGY7hHcD0aXkdZPh1bYyWsIz/yS
-      eyUYCR+4Abu9lT1rTwHiSeo4YjNHOwQcfzBN9BwFUs6G1R81oC3qCwTYuJS2Eo09
-      +sii/oH/o/7VjvewMmUzDHVJ4iMa8yRXtfOObrM9MfsQ0p9GnP7UTG3VwleIenFZ
-      43DhvDl+kolw9phRuyCuCy7fSI8e7ejcQ3gSYWcIcgIIA5y/KdoCJDNdTjj3xDdo
-      p+hzg0OTjK57Fw286IVdzO5e5zznX0SPqXnZYncHHl2OmGZ+DT8ftkvD4BUJ74aO
-      fLsVwAZYJT1tSG2ymzu9yJR5p+hPTScpPi8HUDCnL4xL304Lmj3UfDauNJQcM/gT
-      mAJ/bfEtRqldMtN1EuH1TexvSkwkPrTUkryq2TYcw7vS72tNi+g6aZ7NdrQ8l4KZ
-      ZmrfwFnKNiVWus+zrffSDooEFZ3mj/vsFvV6fhw/Ni4QD1XAb0fJawUHvt0WHqZA
-      YnszBOzdmd8coJI17XbcwcP7DEoKIhLbPl1n0KNjL6j4EEoClwxZC+hAhi8kKMB3
-      aWj4zpeIExYST8NgtCz44SoBTv5U0iCR19mhdcTnafGyRK82dGiBNguk8//siUiC
-      jt3Aa7chapoiQNwZGDCmSrZOxOoxMYlBuPRVQqeokPinsw5rkLh8+arz1XRDyuTK
-      vQ+jttyIVA9OFI5+e/hN0ryn4GPbiCG5wV5SKweRUCcX9m8TK5u6A3rhMvlcls3T
-      INn9/XjCX6HhVGgZ47LSmcZ5ojtWzOKpad0v8qjD3z2BWzUlbalgYsdWrsRPSeDA
-      wiGpKbqb9u0S1e6hMmGyNa8UbzhYtJ/AQ0qh003YR7j+nlfJXffNkt2B4DkDdsG3
-      Alfhalwn5YUdcgm/6E+gnIg7JR4gXZhBL1R5SV1mzUgzyDEq5w2LBOx+TU33a3qf
-      ld0dJDJl0cG22n+GzQmm/6nPMnWX1ymK49h0tO9fLBLZsL8T1muo/PshhjhIv5VR
-      9ET5UN5I+9d0nHWAv2DjNwetyD3WGZDHnuq0mpti58xzkOr4jfYqy9qKwFk/coAu
-      Briwv8OJ2U5XEOuU/9fEL+NdYWkHga++oObyxJUU5Qgfs6OWUXERyPwzgXHkbDqm
-      q6+GP1AxBAP32zD0XyGUht1nl+L5qpnbOpISJjMMrl7wuKezWbFAE8VzQNbbp62O
-      eI1GEX2c2resPXZ/tS5LtoZ2TrT8TKYRZ0k1qLuQhOTXXNYQhP8i4PGOAL6BMZsZ
-      USAEHcAZnlByBS8i49IlvJMewPfHmm7ceLu8aYlm3yOAr1QBNRMkxoJBXjAAnCCx
-      qCGIQtINrVIJNQDSogMPXa4JQzCRSsT0Hz8ejQeQ9xmaK4VjM64VRj11RWsHFexk
-      p+GdAGVteipz1xEQHBvnUdOVm/5ULHK+8w+5LgEwN0jGXlsQ6KhUX5BLQMWob0jL
-      1np3Hml3MDxsPJPJjT4OKxNdWyyyP6PIDZj7DFqEa6+9Eg5Io7TSNk4e+LylfpPS
-      orsF2xaUzCaKOXjyXwPrW57UH8HtjnaeWh03qqdZCozCDdQ0pNpPk2vJYStZR/rY
-      BpQHZ6kZyLFdqLs+wMoPphF7q4bhjYk6MXwdHp5Q9q+MWPuM916g6vKaHUX+q6pL
-      YM8s13NkuUX1hEHaOC8I2dEsgcVPk++kDAR7JL5tn5hfJ06K8u5IHwuLUMtLKPt5
-      ZA3LfrnXxqlZD164blhAvb1qPlRTh79+Tj+3zfwaUPma3PmTY12fvJiOn1aD4aYm
-      HgA0yrl2cApzB3C6M1S2QllsoJ/KrWVeSg16XuC+vjSnsRWgIj3PSvSwh9YVZT0h
-      TQlD/PoxrMOlPtQnpHzryQ8YKrTBc4SAuO23wKGkfUBkaBDFrUeprO2p0K9Eeus9
-      jLkIgwTBwmF9bWMi214VdAI3I2BrJkGnx8Rb11C6rEu/5ZeI7g2dACSO27OhckNQ
-      ex490kQvqs1OJ6Fb/CyO8BsLBIyOhkEtglJsVibbcZrHnvoRYeRaWZj9TNdN6I3B
-      Dj0SwxDK9XAwGgWb+E4iwFUUg6yGrbBhUDWv5K7/ncgXz8iESXFKRowuD/J7rriU
-      V/s+yZ8URntBrZ35unuKu4xRieOEkn/JZg+HP0Grs5q3OQumEvZVjHqeJt40WaZ5
-      RJ3NiiHGwWVa6Db/1q0cfETbTn5Qcy2k8ZE+OnRzAmI14nr6lt4eJRnMJ63k4nGc
-      Xj0WpVm7vhVWAQ9gfiYCcbYrR31dUeOBxsRtF+Lvg3TNEx8/x4LeGfxC9c5Ho1Sc
-      Z7fz+/ZycHFx+08W5Mb6PlKhI44uY8bed2Xz5gQhZ1hyXk6Y41uxabUryeCvrLrh
-      PJX25FkOcLhZnWDcyCQ1Rt4JltnZcZzHq12Ipgovos3lPOarySOzSHjs1TjB6Bv1
-      zfBrCAGiY3rrG/W5gXs5eb97dWn5P8CD2uuZCBbTo0GVHdSHV9+JFHQO/0udmnEV
-      e9KRka43HU7AC+3aLeCq1KMoW/anl4DwPXdBCV6hj75TZ0EaA7Q51ETYFCLtyXzt
-      eiU9PE+bEymV6nk927wg7v38GLmdLTJ0F/G4MV0T4UxAdUrsAW33MGXC9/8YyOAz
-      zGh36fBdxTpM6hb1FHJl/tdboIAcTBJRobgmvhaDDVhsJiMJMwRhSFqcE7Q04c3c
-      6rLNGZQ3/u5/Atj5ApZ60ZMH0N5LYcTm98HOROGiFbrYSiSqUyeoIPvME5FwijLw
-      eCxbwjP3WvUSw8XTeIoAf5QwzdI6GRX+6ontCvw6m3l1TohH/ACA+MK+qV1cTgMV
-      HdjywH4SKs3KfwCcTF4gxkHdYlNYDW63Z0lhAtDBXMxUNM/u215Wo+zX0gaSUqeu
-      by47hfhTHP5mW6ITRFvKcS/qUqo3iELljwSXhdw7PwM0whLnSEMGsYh27YVxEzBT
-      n9vcM5tqGykKs1wwmpXpEa6Zliu9swprpQCL5TcOVFKVMjSmDH2OwmaDwcFeTM50
-      mg7BpiA5xLyQFphs8BPbyzkxNlbSI20S67Gx6yScrjsDxcEcVqmcyVVPwn/SqzVL
-      PyklAUbvRcRzkhvibBngIaFUfXXdCOrdQc8Ym/5kKeQ+QLiXxfIYmYKa2uyvMeTe
-      xoag7cmuUnICIYBrmHnVDNxXtC9mNiooUaX2S1lH2ct4s/NwRJm2c5O/igKO/byg
-      wQjiGqDZHyLlPSRxXbxG+tTf3qx8thYbJAO0r+AXYRj+sjJ+MtRozgY0nUeFEJb0
-      ZeYQGlvtoXlGo876JWJ/e7JMatHxGGQ58vJApMTphe/PPh3WTJTE02Bs3Ylft2bp
-      EK5ODopXJ0UmQTn6T1hUwBRu9RO5rICr34XnFav06WekBT5/QTqHEvZ4k4//hvGr
-      d7PQS/EVLApiYWySLg56svmjn4RwfPSPHOwGagU311QOx7woYJD/vb4NBxXb99Qb
-      7z42exUoZgqX+uKwHCuTzH/OVxhqrSoMX2yj09V6ZDUVHU11GOtDzVv07OU+u2vi
-      F0wPdrbedpmIr5BMCdCmqlIPYeBiaMVa/2+q3ud4o6/TeWmQpDZJCQ3xtxrNORQ7
-      HTlY0MDp7G+sdPWJCN5OJ0Ac7uKW72ZC/5yHBJY7Lmrhi3V3vA+DH7A4GgPAphQM
-      yWlBP7sQqVWcA1XlgTycRzkfffXEUoS6qef+IgU/3i/kXmeNnf2kSvmtbiO4GRhC
-      Nhk2s71NUtYXNFJPav5/ZPXI3qOuySow5GYp3njGYmDhO45IzFCcQu40FqiOeyoV
-      lRYTS/BrybkMCu2S3VmIY9/2e7gguYigmyZRvvqOUED9JRqOfC14n5+wtxzSj/nw
-      xFFukVHQRNF6jcZLUNs0SoeFS/obPCE+QiDYBKVrTeT54LuwNLpTrgTnTkDE5VIm
-      LpX9ERh0Yh8HAO7eLHIPAiU/G1Etlc43GcDLN7bbGPQbCvKRzWKSUrLwKmryvTPi
-      eC36fh/yZEWtT2zEtddwbncRgXT20opzMJxB3qF5ZMQ1qLIsQbGYeUsRl9lxsT7A
-      CE6vCP235+urdA9IaBRPN1VpWDpV7YDbF/ZIkRDJevSnSSrBTed4WcXcSe7JNGFb
-      U3eFPi2vsekvb59CHqHPD8QvvqF3N/3Xp1uQZV+eBOCtRpMOZduBJ6QdZlGBaGrB
-      +RKJEl9ziqGkiqiQzw8MR2kSrRVKIs5cISbl/dOEqfkbp2A1Siy4kWt+2Zk5V+Sw
-      IPJDrjYIZKSzV6XhhN+fhMNOYJjByxEXXLvHRTydIUQpS5JPe3T1sMJCN8o41uKx
-      4g+oPomYfJzKSbdpP84fVC4WQCMj+CiMGz/dWV27LgKPF0X9wel5s5gke4UDYQKe
-      FDf/4n3+neMgKohFUIcnqGnBTtThXqvK637m37WfQTIqNWkRH4pU/Acl/djkd+TD
-      yYRBt5UqwGovABM08jYkuA==
-    </EncryptedBinary>
-  </Data>
  </InitialValues>
diff --git a/src/ckm/resource/XML_2_okay.xml b/src/ckm/resource/XML_2_okay.xml

index 0c3a76d..ff84dbc 100644 (file)
--- a/src/ckm/resource/XML_2_okay.xml
+++ b/src/ckm/resource/XML_2_okay.xml
@@ -1,5 +1,5 @@
  <?xml version="1.0" encoding="UTF-8"?>
-<InitialValues version="1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="initial_values.xsd ">
+<InitialValues version="2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="initial_values.xsd ">
    <Key name="test2-key1" type="RSA_PUB" password="123">
      <PEM>
        -----BEGIN PUBLIC KEY-----
diff --git a/src/ckm/resource/XML_3_wrong.xml b/src/ckm/resource/XML_3_wrong.xml

index 2fcb32a..c37883a 100644 (file)
--- a/src/ckm/resource/XML_3_wrong.xml
+++ b/src/ckm/resource/XML_3_wrong.xml
@@ -1,5 +1,5 @@
  <?xml version="1.0" encoding="UTF-8"?>
-<InitialValues version="1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="initial_values.xsd ">
+<InitialValues version="2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="initial_values.xsd ">
    <Key name="test3-key1" type="RSA_PUB" password="123">
      <Permission accessor="test_label"/>
      <PEM>
diff --git a/src/ckm/resource/device_key.xml b/src/ckm/resource/device_key.xml

deleted file mode 100644 (file)

index 30c162a..0000000
--- a/src/ckm/resource/device_key.xml
+++ /dev/null
@@ -1,32 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<DeviceKey version="1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="sw_key.xsd ">
-  <RSAPrivateKey>
-    <DERBase64>
-      MIIEowIBAAKCAQEA4Vx4MBKFGalaRh+BzSYnW8am8ajbnyD6AaweHcH+oAAQX7Ll
-      1/XrorzOkyQV3+eo4czRCklq6BXMI4Ppa+Hy+/X/pMBa4MHrjzH01gzzV0jyqEOr
-      S6/MGPsoWUgGl6FRhEnSX62JQoUpsURMbNLgjBkbrmKEMHMk6jT5NUtKhpBXo0/g
-      OgW48PuADuSjRmKWQssfR/KMsv3SRy9iGFOG1tFxGbeQkmBBxXVIr7u/z9WDG32R
-      DiG8Mda8dNXJGaBcltUY9HvMogmgCPMrBspFy7ek0x0Lll3t1P7FMgF1V21PFhcl
-      yX0L0XbBthpYojjglCYT5MnFfhKnI9zbMLlcSQIDAQABAoIBAGnH57pY1xUGgxMr
-      MthCsnLHuhDwu7Xj2rXyPmilaIldvlHNPUmzaxmGGkjCxWnF6WWjp/N2JrItmRaK
-      koRLGKzf+VEx4PZiz9j1EAFxLr+nxA7rRHpQWDLZoUTXJBEEbaj0pcS3RhhtPPay
-      IlVqXnAkUPP31iiPw6ITn24+mwqx0I6AenMsh9vJHKl5y9Yu/aslYbwcxkSXinlO
-      HHcWopZlJKUQnqlwJ6Xk4e4hjwZn7OQN2jQWKT5oQHO9tEUARqF8waY9yVfUSpjM
-      mw+gvywAoP1cT7M3q7MsKRNlZsrrC5zYWJ0ev4TIEa+zooqQymZoYeCd8s/77gsv
-      l7nz/CECgYEA846Xp3wWci8auSUv4SrqcjFZHz3YTqnPZzEf/U4nfFhhwzDHgOHD
-      u/M4gmEIcvxukhGO66/fqNnDJKQeu5XzgOKKO8/YCkjdIvULKNIOijmucx6oKn+K
-      4AIIzTYaI9Ft8+nOpfQV78+xnLGxiUamp8iRJgXei0RcISrEuw7+LQUCgYEA7N/m
-      Xgb1wkkrFp2fefTD6/5hGWizx3yO+jd+LXBRrPJQOvcf3Wh8jrEpWkeuUF8JYBZP
-      IOqc+TmbETuRUiokoYCihJKT0VkCqKz8qjUq7IwYf5Cx0gfEVUk3iyt3yTlJe9RJ
-      hOXV61PPtaebzg7MYmDfAkSU0ScqXV6Gd5Dl9XUCgYBprXE4Bqtml/Gsa+o+dPSM
-      38SfvaHhX+TSDYqnygVv+plQrBWkYlEfeAUI7TlRSx5e2qd8tC8DgJkfiOac1g91
-      2NXJ5gEDVWI+DLzu1VXhu+1pnd+xsO19DOTsxZDKAdEHiGdVsnbiOugB6UfzHGir
-      XGc+bEWHf/3JllkOIQ9AUQKBgCnL6C43NC4wEvZOodE3K0r8+80r+Gz+wYvNNup1
-      ozPNHfMJoAnFYhUblZxkgZGU82aNCTFZtJEVZRNJW38QCJ6mwAZ8hrCt8BYrT/oI
-      n6ZVog0ATyAsVqxl2vMnnF9ZSGodL0vP8ksv4rq+9HMLkWzagv83crrlGkiXYUq/
-      upPxAoGBAMrq/dAyhHKaM84C68JDZNuzPt/flAEgIf/iCYwHDKlWu0W2PmN9ZFbG
-      RkeC5ljD1V2QodLF6BZ+LWbK7aY9OGQR37tdm5whxZo+CqmQZ5Bybnlkfvo3cEPI
-      tW38eiYAnPQ3zy8WJ6if3Q+y+vaiM15C/MMVKyXAGcyop1qFVYAT
-    </DERBase64>
-  </RSAPrivateKey>
-</DeviceKey>
diff --git a/src/ckm/resource/pkcs.p12 b/src/ckm/resource/pkcs.p12

index 4548d51..3dff3d6 100644 (file)

Binary files a/src/ckm/resource/pkcs.p12 and b/src/ckm/resource/pkcs.p12 differ
diff --git a/src/ckm/test-certs.cpp b/src/ckm/test-certs.cpp

index ff137b1..939e11f 100644 (file)
--- a/src/ckm/test-certs.cpp
+++ b/src/ckm/test-certs.cpp
@@ -40,15 +40,15 @@ enum RawCertificateID {
      TEST_LEAF,           // TEST_LEAF, signed by TEST_IM_CA, expires 2035
  
      // third party
-    DIGICERT_ROOT_CA,    // DIGICERT_ROOT_CA, (root CA), expires 10 Nov 2031
-    DIGICERT_IM_CA,      // DIGICERT_IM_CA, signed by DIGICERT_ROOT_CA,
-                         //   expires 22 Oct 2028
-    FACEBOOK_COM,        // FACEBOOK_COM, *.facebook.com - signed by DIGICERT_IM_CA,
-                         //   expires 22 Mar 2019
+    BALTIMORE_CYBER_TRUST_ROOT,    // Baltimore CyberTrust Root, (root CA), expires May 13, 2025
+    MS_IT_TLS_CA_4,      // Microsoft IT TLS CA 4, signed by Baltimore CyberTrust Root,
+                         // expires May 20, 2024
+    MICROSOFT_COM,       // www.microsoft.com - signed by Microsoft IT TLS CA 4,
+                         // expires January 16, 2020
  
      // ocsp available chain on third party
-    MICROSOFT_IM_CA,     // MICROSOFT_IM_CA, signed by Baltimore CyberTrust Root, expires 20 May 2024
-    BING_COM,            // BING, signed by MICROSOFT_IM_CA, expires 10 Jul 2019
+    MS_IT_TLS_CA_2,      // Microsoft IT TLS CA 2, signed by Baltimore CyberTrust Root, expires 20 May 2024
+    BING_COM,            // BING, signed by Microsoft IT TLS CA 2, expires 30 Apr 2021
  
      // footer - last element in the set
      NO_CERT
@@ -85,11 +85,11 @@ RawCertificateID toRawCertificateID(certificateID id)
      case certificateID::TEST_IM_CA:          return RawCertificateID::TEST_IM_CA;
      case certificateID::TEST_LEAF:           return RawCertificateID::TEST_LEAF;
  
-    case certificateID::THIRD_PARTY_ROOT_CA: return RawCertificateID::DIGICERT_ROOT_CA;
-    case certificateID::THIRD_PARTY_IM_CA:   return RawCertificateID::DIGICERT_IM_CA;
-    case certificateID::THIRD_PARTY_LEAF:    return RawCertificateID::FACEBOOK_COM;
+    case certificateID::THIRD_PARTY_ROOT_CA: return RawCertificateID::BALTIMORE_CYBER_TRUST_ROOT;
+    case certificateID::THIRD_PARTY_IM_CA:   return RawCertificateID::MS_IT_TLS_CA_4;
+    case certificateID::THIRD_PARTY_LEAF:    return RawCertificateID::MICROSOFT_COM;
  
-    case certificateID::OCSP_AVAILABLE_IM:   return RawCertificateID::MICROSOFT_IM_CA;
+    case certificateID::OCSP_AVAILABLE_IM:   return RawCertificateID::MS_IT_TLS_CA_2;
      case certificateID::OCSP_AVAILABLE_LEAF: return RawCertificateID::BING_COM;
  
      case certificateID::NO_CERT:             return RawCertificateID::NO_CERT;
@@ -186,230 +186,248 @@ CertMap initializeTestCerts()
          cm[RawCertificateID::TEST_LEAF].certPtr = createCert(raw_base64);
      }
  
-    // BING.COM, signed by MICROSOFT_IM_CA, expires 10 Jul 2019
+    // BING, signed by Microsoft IT TLS CA 2, expires 30 Apr 2021
      {
          std::string raw_base64(
              "-----BEGIN CERTIFICATE-----\n"
-            "MIIMAjCCCeqgAwIBAgITLQAAMpnXBx230XCKQgAAAAAymTANBgkqhkiG9w0BAQsF\n"
+            "MIIN+jCCC+KgAwIBAgITIAAGDxuOsc5CY0aDQgAAAAYPGzANBgkqhkiG9w0BAQsF\n"
              "ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT\n"
              "B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE\n"
-            "CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDUw\n"
-            "HhcNMTcwNzIwMTc0NzA4WhcNMTkwNzEwMTc0NzA4WjAXMRUwEwYDVQQDEwx3d3cu\n"
-            "YmluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6jsg+/7Dl\n"
-            "IrdgFOcaDlK3RQ9sIgkJsgpj+ZxAbIe3ziyimIxjVlHX87pqgXcNhaYNbCFD0iPm\n"
-            "+aUfbv4GDTLR+AIr8eSegqxZ+CBToYM67NhpVYra1KAvY4XgqxorO4FB9IWYJRqh\n"
-            "I3SZeZ3lLK5t9XuUMicG8l52nJfpPdXXvBca2wUCq8FHEObG81vJzESA0htLLPTj\n"
-            "dUWBQnXPiW5bqzlGHzzv8ISV6jtDLNNa5JRlhSlXho+6pCedhNF7MP4yTaantPvA\n"
-            "ELLRWX13VhjgoCcRCCu0s8rxW5DuVWl2Pb2iw35MFnNWlcoVwq0AjAfGA+xEba/W\n"
-            "Lid6qfkQctYjAgMBAAGjggfQMIIHzDAdBgNVHQ4EFgQUCYflhSl4MCAls91+3Gzt\n"
-            "pSmoA3AwCwYDVR0PBAQDAgSwMB8GA1UdIwQYMBaAFAj+JZ906ocEwry7jqg4XzPG\n"
-            "0WxlMIGsBgNVHR8EgaQwgaEwgZ6ggZuggZiGS2h0dHA6Ly9tc2NybC5taWNyb3Nv\n"
-            "ZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0El\n"
-            "MjA1LmNybIZJaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3Js\n"
-            "L01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0ElMjA1LmNybDCBhQYIKwYBBQUHAQEE\n"
-            "eTB3MFEGCCsGAQUFBzAChkVodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21z\n"
-            "Y29ycC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIwNS5jcnQwIgYIKwYBBQUH\n"
-            "MAGGFmh0dHA6Ly9vY3NwLm1zb2NzcC5jb20wPgYJKwYBBAGCNxUHBDEwLwYnKwYB\n"
-            "BAGCNxUIh9qGdYPu2QGCyYUbgbWeYYX062CBXYTS30KC55N6AgFkAgEQMB0GA1Ud\n"
-            "JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATBNBgNVHSAERjBEMEIGCSsGAQQBgjcq\n"
-            "ATA1MDMGCCsGAQUFBwIBFidodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21z\n"
-            "Y29ycC9jcHMwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcD\n"
-            "ATCCBW0GA1UdEQSCBWQwggVgggx3d3cuYmluZy5jb22CEGRpY3QuYmluZy5jb20u\n"
-            "Y26CEyoucGxhdGZvcm0uYmluZy5jb22CCiouYmluZy5jb22CCGJpbmcuY29tghZp\n"
-            "ZW9ubGluZS5taWNyb3NvZnQuY29tghMqLndpbmRvd3NzZWFyY2guY29tghljbi5p\n"
-            "ZW9ubGluZS5taWNyb3NvZnQuY29tghEqLm9yaWdpbi5iaW5nLmNvbYINKi5tbS5i\n"
-            "aW5nLm5ldIIOKi5hcGkuYmluZy5jb22CGGVjbi5kZXYudmlydHVhbGVhcnRoLm5l\n"
-            "dIINKi5jbi5iaW5nLm5ldIINKi5jbi5iaW5nLmNvbYIQc3NsLWFwaS5iaW5nLmNv\n"
-            "bYIQc3NsLWFwaS5iaW5nLm5ldIIOKi5hcGkuYmluZy5uZXSCDiouYmluZ2FwaXMu\n"
-            "Y29tgg9iaW5nc2FuZGJveC5jb22CFmZlZWRiYWNrLm1pY3Jvc29mdC5jb22CG2lu\n"
-            "c2VydG1lZGlhLmJpbmcub2ZmaWNlLm5ldIIOci5iYXQuYmluZy5jb22CECouci5i\n"
-            "YXQuYmluZy5jb22CEiouZGljdC5iaW5nLmNvbS5jboIPKi5kaWN0LmJpbmcuY29t\n"
-            "gg4qLnNzbC5iaW5nLmNvbYIQKi5hcHBleC5iaW5nLmNvbYIWKi5wbGF0Zm9ybS5j\n"
-            "bi5iaW5nLmNvbYINd3AubS5iaW5nLmNvbYIMKi5tLmJpbmcuY29tgg9nbG9iYWwu\n"
-            "YmluZy5jb22CEXdpbmRvd3NzZWFyY2guY29tgg5zZWFyY2gubXNuLmNvbYIRKi5i\n"
-            "aW5nc2FuZGJveC5jb22CGSouYXBpLnRpbGVzLmRpdHUubGl2ZS5jb22CDyouZGl0\n"
-            "dS5saXZlLmNvbYIYKi50MC50aWxlcy5kaXR1LmxpdmUuY29tghgqLnQxLnRpbGVz\n"
-            "LmRpdHUubGl2ZS5jb22CGCoudDIudGlsZXMuZGl0dS5saXZlLmNvbYIYKi50My50\n"
-            "aWxlcy5kaXR1LmxpdmUuY29tghUqLnRpbGVzLmRpdHUubGl2ZS5jb22CCzNkLmxp\n"
-            "dmUuY29tghNhcGkuc2VhcmNoLmxpdmUuY29tghRiZXRhLnNlYXJjaC5saXZlLmNv\n"
-            "bYIVY253ZWIuc2VhcmNoLmxpdmUuY29tggxkZXYubGl2ZS5jb22CDWRpdHUubGl2\n"
-            "ZS5jb22CEWZhcmVjYXN0LmxpdmUuY29tgg5pbWFnZS5saXZlLmNvbYIPaW1hZ2Vz\n"
-            "LmxpdmUuY29tghFsb2NhbC5saXZlLmNvbS5hdYIUbG9jYWxzZWFyY2gubGl2ZS5j\n"
-            "b22CFGxzNGQuc2VhcmNoLmxpdmUuY29tgg1tYWlsLmxpdmUuY29tghFtYXBpbmRp\n"
-            "YS5saXZlLmNvbYIObG9jYWwubGl2ZS5jb22CDW1hcHMubGl2ZS5jb22CEG1hcHMu\n"
-            "bGl2ZS5jb20uYXWCD21pbmRpYS5saXZlLmNvbYINbmV3cy5saXZlLmNvbYIcb3Jp\n"
-            "Z2luLmNud2ViLnNlYXJjaC5saXZlLmNvbYIWcHJldmlldy5sb2NhbC5saXZlLmNv\n"
-            "bYIPc2VhcmNoLmxpdmUuY29tghJ0ZXN0Lm1hcHMubGl2ZS5jb22CDnZpZGVvLmxp\n"
-            "dmUuY29tgg92aWRlb3MubGl2ZS5jb22CFXZpcnR1YWxlYXJ0aC5saXZlLmNvbYIM\n"
-            "d2FwLmxpdmUuY29tghJ3ZWJtYXN0ZXIubGl2ZS5jb22CE3dlYm1hc3RlcnMubGl2\n"
-            "ZS5jb22CFXd3dy5sb2NhbC5saXZlLmNvbS5hdYIUd3d3Lm1hcHMubGl2ZS5jb20u\n"
-            "YXUwDQYJKoZIhvcNAQELBQADggIBADTpW/UWeupk40OP6k4yxihKStswxwqPAfMR\n"
-            "mx4XyqmTAawAKRNM+6EZth1BQdPdOplwRTvs69kkmUHJH+ZjYXBezEACWkzEiNUQ\n"
-            "nzkRWajdSQIz08Ubj/mBD6U8xLYD+NXgiB0xNWabd8aiPsqPaj6I3qkNw4JvtgtH\n"
-            "ZQG1zlwC5/Lu6yV3DM3sKpQMyBmOnX6nVUiS0MTOzLgZOQzRk07nO7EXWGcKTmDB\n"
-            "jE8cqv5IA/jQ6gtaxCI5pDxfXK4ct7oQyoChfxOXcEDKMmMndFmg9ch5c4an/FRM\n"
-            "2cgzDfjR01A71LNUpLUdOjNV0T+ZEStqEpdyDFfjrHGDtzLyqEz3iyvvQFyjmlGh\n"
-            "6OtZXwjCPpnVSrKCmfJKio0kUxyq+6t5tZAQbPVgFKiMrVnU+sgvmNVip1toijyz\n"
-            "8vMVCkwJ2G++7xjJukoELMxZ50W4/SAMZLy1Asx02NBwYCu9+CTQPVnmPe7rmxhl\n"
-            "QRBOfDNa1+5jwRHY64YudEzKhWR1uqS3ABd/fk+TL86yuNYGAgxnOm1FtOGieRgV\n"
-            "iV3+NzC+bDbuUOtmbD/GvDGmRwJRcCTHL7jBmkHePh2ABY93NE/IbkaDP6l1Kw98\n"
-            "AfqkzSUxhqHXuThe7KIoX9/0zv4AA1WZFis1QvAG7dpl9eio6vCdC/73HvBAlqRL\n"
-            "+7Mb1uu0\n"
+            "CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDIw\n"
+            "HhcNMTkwNDMwMjA0ODAwWhcNMjEwNDMwMjA0ODAwWjAXMRUwEwYDVQQDEwx3d3cu\n"
+            "YmluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhIlPb0iP7\n"
+            "xRmUScK43QI7Ci/lvfMumWhRFAHcFzjIDHs74sq0B+ze8HW5PR6LWRe/d3yR5dC8\n"
+            "7gQs0qXGitzsP9vWJcpwKV273tlnWiEfgZx5tvNCFdHOqoYoHL3a8zed/JkGTEeX\n"
+            "ukGEX0TeBgCjcVTj5qRxJhjlWxs3AcB/q4f4vi3QG80TbSU2UO0lkvhvfs73C1jq\n"
+            "i7Zspia/YsMqcQ6X+APAZ+4guKjQr5q32tzj2FGtJO6ZmZuNV9Wwb32891UhwZ3D\n"
+            "2PrIcnCNlIQ1/Fah6im7Vc67qO2x/++r7gO7PtR8byCFnFuNUVQxhSIkCkj6FvPx\n"
+            "cYefok0wJ0VRAgMBAAGjggnIMIIJxDCCAfQGCisGAQQB1nkCBAIEggHkBIIB4AHe\n"
+            "AHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFqcApGzAAABAMA\n"
+            "RjBEAiAiASIs5j19VcTLbxcOGHQlIl62d3iy1FY8dnNq+6lebQIgchbSq2Qh78zs\n"
+            "mmucyslucBycij/FYUe3F1lNpJiB9KsAdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAl\n"
+            "CBcvo6odBxPTDAAAAWpwCkgDAAAEAwBHMEUCIQDx6RqcvDdfIY9qdAuaRFBVvSHN\n"
+            "ttpAzie3KP9AAiGvBwIgSMvjse/hJusDoRFnSTtX96ierTaqzQH4oDLLnW/Gwc0A\n"
+            "dQBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAWpwCkbmAAAEAwBG\n"
+            "MEQCICbYF6Lv93BFrwLguzmas/5gQ87fzRHkTaMxDSD7PlhRAiA/DXOeTcHaiUPQ\n"
+            "WsKbJ/7x9EWKvVisqtQMnYk6cBxbBwB2AESUZS6w7s6vxEAH2Kj+KMDa5oK+2Msx\n"
+            "tT/TM5a1toGoAAABanAKRtoAAAQDAEcwRQIgardRfR7bxwSGF212a603dXYz6O5z\n"
+            "YHpPks8/RR/AMzQCIQD4VYDD+2zVDHEjz8elkKEzhgzTdOMtc1yYhCU+eHAGkjAn\n"
+            "BgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMD4GCSsGAQQB\n"
+            "gjcVBwQxMC8GJysGAQQBgjcVCIfahnWD7tkBgsmFG4G1nmGF9OtggV2E0t9CgueT\n"
+            "egIBZAIBHTCBhQYIKwYBBQUHAQEEeTB3MFEGCCsGAQUFBzAChkVodHRwOi8vd3d3\n"
+            "Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUy\n"
+            "MENBJTIwMi5jcnQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLm1zb2NzcC5jb20w\n"
+            "HQYDVR0OBBYEFDcHtZt8HkKSRO8ETiTkCLixB9PaMAsGA1UdDwQEAwIEsDCCBW0G\n"
+            "A1UdEQSCBWQwggVgggx3d3cuYmluZy5jb22CEGRpY3QuYmluZy5jb20uY26CEyou\n"
+            "cGxhdGZvcm0uYmluZy5jb22CCiouYmluZy5jb22CCGJpbmcuY29tghZpZW9ubGlu\n"
+            "ZS5taWNyb3NvZnQuY29tghMqLndpbmRvd3NzZWFyY2guY29tghljbi5pZW9ubGlu\n"
+            "ZS5taWNyb3NvZnQuY29tghEqLm9yaWdpbi5iaW5nLmNvbYINKi5tbS5iaW5nLm5l\n"
+            "dIIOKi5hcGkuYmluZy5jb22CGGVjbi5kZXYudmlydHVhbGVhcnRoLm5ldIINKi5j\n"
+            "bi5iaW5nLm5ldIINKi5jbi5iaW5nLmNvbYIQc3NsLWFwaS5iaW5nLmNvbYIQc3Ns\n"
+            "LWFwaS5iaW5nLm5ldIIOKi5hcGkuYmluZy5uZXSCDiouYmluZ2FwaXMuY29tgg9i\n"
+            "aW5nc2FuZGJveC5jb22CFmZlZWRiYWNrLm1pY3Jvc29mdC5jb22CG2luc2VydG1l\n"
+            "ZGlhLmJpbmcub2ZmaWNlLm5ldIIOci5iYXQuYmluZy5jb22CECouci5iYXQuYmlu\n"
+            "Zy5jb22CEiouZGljdC5iaW5nLmNvbS5jboIPKi5kaWN0LmJpbmcuY29tgg4qLnNz\n"
+            "bC5iaW5nLmNvbYIQKi5hcHBleC5iaW5nLmNvbYIWKi5wbGF0Zm9ybS5jbi5iaW5n\n"
+            "LmNvbYINd3AubS5iaW5nLmNvbYIMKi5tLmJpbmcuY29tgg9nbG9iYWwuYmluZy5j\n"
+            "b22CEXdpbmRvd3NzZWFyY2guY29tgg5zZWFyY2gubXNuLmNvbYIRKi5iaW5nc2Fu\n"
+            "ZGJveC5jb22CGSouYXBpLnRpbGVzLmRpdHUubGl2ZS5jb22CDyouZGl0dS5saXZl\n"
+            "LmNvbYIYKi50MC50aWxlcy5kaXR1LmxpdmUuY29tghgqLnQxLnRpbGVzLmRpdHUu\n"
+            "bGl2ZS5jb22CGCoudDIudGlsZXMuZGl0dS5saXZlLmNvbYIYKi50My50aWxlcy5k\n"
+            "aXR1LmxpdmUuY29tghUqLnRpbGVzLmRpdHUubGl2ZS5jb22CCzNkLmxpdmUuY29t\n"
+            "ghNhcGkuc2VhcmNoLmxpdmUuY29tghRiZXRhLnNlYXJjaC5saXZlLmNvbYIVY253\n"
+            "ZWIuc2VhcmNoLmxpdmUuY29tggxkZXYubGl2ZS5jb22CDWRpdHUubGl2ZS5jb22C\n"
+            "EWZhcmVjYXN0LmxpdmUuY29tgg5pbWFnZS5saXZlLmNvbYIPaW1hZ2VzLmxpdmUu\n"
+            "Y29tghFsb2NhbC5saXZlLmNvbS5hdYIUbG9jYWxzZWFyY2gubGl2ZS5jb22CFGxz\n"
+            "NGQuc2VhcmNoLmxpdmUuY29tgg1tYWlsLmxpdmUuY29tghFtYXBpbmRpYS5saXZl\n"
+            "LmNvbYIObG9jYWwubGl2ZS5jb22CDW1hcHMubGl2ZS5jb22CEG1hcHMubGl2ZS5j\n"
+            "b20uYXWCD21pbmRpYS5saXZlLmNvbYINbmV3cy5saXZlLmNvbYIcb3JpZ2luLmNu\n"
+            "d2ViLnNlYXJjaC5saXZlLmNvbYIWcHJldmlldy5sb2NhbC5saXZlLmNvbYIPc2Vh\n"
+            "cmNoLmxpdmUuY29tghJ0ZXN0Lm1hcHMubGl2ZS5jb22CDnZpZGVvLmxpdmUuY29t\n"
+            "gg92aWRlb3MubGl2ZS5jb22CFXZpcnR1YWxlYXJ0aC5saXZlLmNvbYIMd2FwLmxp\n"
+            "dmUuY29tghJ3ZWJtYXN0ZXIubGl2ZS5jb22CE3dlYm1hc3RlcnMubGl2ZS5jb22C\n"
+            "FXd3dy5sb2NhbC5saXZlLmNvbS5hdYIUd3d3Lm1hcHMubGl2ZS5jb20uYXUwgawG\n"
+            "A1UdHwSBpDCBoTCBnqCBm6CBmIZLaHR0cDovL21zY3JsLm1pY3Jvc29mdC5jb20v\n"
+            "cGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDIuY3Js\n"
+            "hklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9z\n"
+            "b2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDIuY3JsME0GA1UdIARGMEQwQgYJKwYBBAGC\n"
+            "NyoBMDUwMwYIKwYBBQUHAgEWJ2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kv\n"
+            "bXNjb3JwL2NwczAfBgNVHSMEGDAWgBSRnjtEbD1XnEJ3KjTXT9HMSpcs2jAdBgNV\n"
+            "HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAA1g\n"
+            "NJF5ks5Qrg0/qeOXQbcO3SCs+HKTKxVL8QdaTL3s5gsmWQzcYNS671DmN4lEob2g\n"
+            "WWZKyKAzQbjDOcf9ndxX4+i+PaCw5K3uONbMOwnuOCwRvDy8YEoCb3OzKFX4sjzh\n"
+            "1HVL/ljKHUPT+9ap/SpYserNxixibqF2LZYx+9hwr1bcx9GWrg3CoFUFgSZqRQ14\n"
+            "eiK94iM5kzJLKynKPhez+UOwS5VRev1mxh5nD9hBPzXHHqI9mNWu/lyr7KPUMigi\n"
+            "QfKKZuqV6W3i1H3BoJi1uDkL3SJo1F39XN3AyGSAZWS9RNn5JzEQQGiJRjrz/PE1\n"
+            "vTg1BlbsPdKa4gGZGdGBWcj2eXZc+GbLpTy3qWlmJrEn2KGLeomyndlftRPFrBUH\n"
+            "/5Mio5OeSawjlacBV25fKaoZ1BPc3i+HGKd5ctddCy6kJsgdMD221zGvf/0uW25Z\n"
+            "ImzDeH7KkOcGbzyWJwBzDgra0RP+qRgK3aYPSWI81OLlnHJ2VOix/UU63NCK2fO/\n"
+            "URzE8KxoHrgRGXCE52viHv6ksL7QXWelbERU7GEpcZU1suPhDohn4CrfrCYCjpa5\n"
+            "Ys6ci7Rren82SsXJBfNrgm2U4lxWfzWj+2Ay6yATbdoOPntue8cbbMoTzoNMHQXD\n"
+            "2DpjtFPs8/RVOFQb0IFVluCrTAnHmI8tTtsmzg6z\n"
              "-----END CERTIFICATE-----\n");
          cm[RawCertificateID::BING_COM].raw_base64 = raw_base64;
          cm[RawCertificateID::BING_COM].certPtr = createCert(raw_base64);
  
      }
  
-    // MICROSOFT_IM_CA, expires 20 May 2024
+    // Microsoft IT TLS CA 2, signed by Baltimore CyberTrust Root, expires 20 May 2024
      {
          std::string raw_base64(
              "-----BEGIN CERTIFICATE-----\n"
-            "MIIFtDCCBJygAwIBAgIQCIjNUl8ZJERNFKWCkd65UjANBgkqhkiG9w0BAQsFADBa\n"
+            "MIIFtDCCBJygAwIBAgIQDywQyVsGwJN/uNRJ+D6FaTANBgkqhkiG9w0BAQsFADBa\n"
              "MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl\n"
              "clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE2\n"
-            "MDUyMDEyNTMwM1oXDTI0MDUyMDEyNTMwM1owgYsxCzAJBgNVBAYTAlVTMRMwEQYD\n"
+            "MDUyMDEyNTE1N1oXDTI0MDUyMDEyNTE1N1owgYsxCzAJBgNVBAYTAlVTMRMwEQYD\n"
              "VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy\n"
              "b3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UE\n"
-            "AxMVTWljcm9zb2Z0IElUIFRMUyBDQSA1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n"
-            "MIICCgKCAgEAmt+BXDuPrul5lrmaeaeB8jnaVShGIwLFgmYHthXe/Zw6GpuRCdJm\n"
-            "jwuJF/hxhyF/ONM/miUAtzXQq/gIejbzUFvfKykn3qTdJJL69MZwjTYqmvCA3jX6\n"
-            "HkKdCYGq1QcKFqXFWkJtQr4eQoK0VzCZW0Ur1I/TCgbGc5Ok4YPvxb8FJ6d4zbML\n"
-            "4J4iFvOY3KYU6MyU1yP50FCZu7ULEJXx3wLpj46dVpk82I/TWPtckn49e/hQSVr3\n"
-            "EHt3+OZKkEpVUt6UrXQJoGRXLM0HkJ8WrZXD0Qa68e9sBbUErKncGzGbDi0ZlQRP\n"
-            "3mbLrTVyrxmCCLIUOhZfsDyb240MsALWJh/oFXHE7/ljOUOM6cKSLqHCoDAlDpYn\n"
-            "X56jK4LWEL08GR6mh/5VITpcQfwBmMwvkv9mOLS4ZpwPEmhLSqyGu16Y/56mnFNs\n"
-            "MxGk0K5SR9eLj/GWrLkpmo8s8a1kGMMmuwBk3lBwwLvsxmuu06DvwPFcDfLMelna\n"
-            "GDMvWRCtZxQsXyJDSkTh6N3g51UWTgnvA0wMSFBa8APfju9jyltnh0NALAa2Hw8+\n"
-            "U8BmP9cUFeYIYphIfoPlp7VdUS1ULWH9NF3Ut4DN0n3OsSQ785dsbBPeihfJivVI\n"
-            "lUL3EpDjEBf2oQDFNiplkZ4F7EIuWriZG//UTrX6ZlXZg46/CCmN+gsCAwEAAaOC\n"
-            "AUIwggE+MB0GA1UdDgQWBBQI/iWfdOqHBMK8u46oOF8zxtFsZTAfBgNVHSMEGDAW\n"
+            "AxMVTWljcm9zb2Z0IElUIFRMUyBDQSAyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n"
+            "MIICCgKCAgEAnqoVwRuhY1/mURjFFrsR3AtNm5EKukBJK9zWBgvFd1ksNEJFC06o\n"
+            "yRbwKPMflpW/HtOfzIeBliGk57MwZq18bgASr70sPUWuoD917HUgBfxBYoF8zA7Z\n"
+            "Ie5zAHODFboJL7Fg/apgbQs/GiZZNCi0QkQUWzw0nTUmVSNQ0mz6pCu95Dv1WMsL\n"
+            "GyPGfdN9zD3Q/QEDyJ695QgjRIxYA1DUE+54ti2k6r0ycKFQYkyWwZ25HD1h2kYt\n"
+            "3ovW85vF6y7tjTqUEcLbgKUCB81/955hdLLsbFd6f9o2PkU8xuOc3U+bUedvv6Sb\n"
+            "tvGjBEZeFyH8/CaQhzlsKMH0+OPOFv/bMqcLarPw1V1sOV1bl4W9vi2278niblzI\n"
+            "bEHt7nN888p4KNIwqCcXaGhbtS4tjn3NKI6v1d2XRyxIvCJDjgoZ09zF39Pyoe92\n"
+            "sSRikZh7xns4tQEQ8BCs4o5NBSx8UxEsgyzNSskWGEWqsIjt+7+A1skDDZv6k2o8\n"
+            "VCHNbTLFKS7d72wMI4ErpzVsBIicxaG2ezuMBBuqThxIiJ+G9zfoP9lxim/9rvJA\n"
+            "xbh3nujA1VJfkOYTJIojEAYCxR3QjEoGdapJmBle97AfqEBnwoJsu2wav8h9v+po\n"
+            "DL4h6dRzRUxY1DHypcFlXGoHu/REQgFLq2IN30/AhQLN90Pj9TT2RQECAwEAAaOC\n"
+            "AUIwggE+MB0GA1UdDgQWBBSRnjtEbD1XnEJ3KjTXT9HMSpcs2jAfBgNVHSMEGDAW\n"
              "gBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud\n"
              "DwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF\n"
              "BwMJMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln\n"
              "aWNlcnQuY29tMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0\n"
              "LmNvbS9PbW5pcm9vdDIwMjUuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsG\n"
              "AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEB\n"
-            "CwUAA4IBAQA+8s8wpXq/HmrfOVgYKDzDne7ngcVL/Gf2vx9ON9re8K/uivkDe2Bn\n"
-            "dMc72v8rSuv9VHUTi+XCgRK6UhIguimKOs1DJMzVFwX+nBY/c+BtQcB2PfKrSMVZ\n"
-            "YmS6RE8KGII/Qeo/GDpY56AwV3X10WoxFLaUmWXatugB3uSr+7Xz5RkKGF+kAlfe\n"
-            "tlwmb3P+Lgn1CEPED8ckf50oZ2Wh3FvwOv34cIXnpU8k3kI/HUQ7XYUGhR0eHNTZ\n"
-            "TlHk/R4RFsyeANmXGpfjZceGNRtTdr4y0SxBSUujPpMMW3dXBzA8NYuM0WmiJ/pV\n"
-            "6KudEB7RF9+6bInTyVvXC5SIqdi0ldeO\n"
+            "CwUAA4IBAQBsf+pqb89rW8E0rP/cDuB9ixMX4C9OWQ7EA7n0BSllR64ZmuhU9mTV\n"
+            "2L0G4HEiGXvOmt15i99wJ0ho2/dvMxm1ZeufkAfMuEc5fQ9RE5ENgNR2UCuFB2Bt\n"
+            "bVmaKUAWxscN4GpXS4AJv+/HS0VXs5Su19J0DA8Bg+lo8ekCl4dq2G1m1WsCvFBI\n"
+            "oLIjd4neCLlGoxT2jA43lj2JpQ/SMkLkLy9DXj/JHdsqJDR5ogcij4VIX8V+bVD0\n"
+            "NCw7kQa6Ulq9Zo0jDEq1at4zSeH4mV2PMM3LwIXBA2xo5sda1cnUWJo3Pq4uMgcL\n"
+            "e0t+fCut38NMkTl8F0arflspaqUVVUov\n"
              "-----END CERTIFICATE-----\n");
-        cm[RawCertificateID::MICROSOFT_IM_CA].raw_base64 = raw_base64;
-        cm[RawCertificateID::MICROSOFT_IM_CA].certPtr = createCert(raw_base64);
+        cm[RawCertificateID::MS_IT_TLS_CA_2].raw_base64 = raw_base64;
+        cm[RawCertificateID::MS_IT_TLS_CA_2].certPtr = createCert(raw_base64);
  
      }
  
-    // DIGICERT_ROOT_CA, (root CA), expires 10 Nov 2031
+    // Baltimore CyberTrust Root, (root CA), expires May 13, 2025
      {
          std::string raw_base64 = std::string(
              "-----BEGIN CERTIFICATE-----\n"
-            "MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs\n"
-            "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
-            "d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j\n"
-            "ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL\n"
-            "MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3\n"
-            "LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug\n"
-            "RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm\n"
-            "+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW\n"
-            "PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM\n"
-            "xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB\n"
-            "Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3\n"
-            "hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg\n"
-            "EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF\n"
-            "MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA\n"
-            "FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec\n"
-            "nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z\n"
-            "eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF\n"
-            "hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2\n"
-            "Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe\n"
-            "vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep\n"
-            "+OkuE6N36B9K\n"
+            "MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ\n"
+            "RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD\n"
+            "VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX\n"
+            "DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y\n"
+            "ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy\n"
+            "VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr\n"
+            "mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr\n"
+            "IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK\n"
+            "mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu\n"
+            "XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy\n"
+            "dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye\n"
+            "jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1\n"
+            "BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3\n"
+            "DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92\n"
+            "9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx\n"
+            "jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0\n"
+            "Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz\n"
+            "ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS\n"
+            "R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp\n"
              "-----END CERTIFICATE-----\n");
-        cm[RawCertificateID::DIGICERT_ROOT_CA].raw_base64 = raw_base64;
-        cm[RawCertificateID::DIGICERT_ROOT_CA].certPtr = createCert(raw_base64);
+        cm[RawCertificateID::BALTIMORE_CYBER_TRUST_ROOT].raw_base64 = raw_base64;
+        cm[RawCertificateID::BALTIMORE_CYBER_TRUST_ROOT].certPtr = createCert(raw_base64);
      }
  
-    // DIGICERT_IM_CA, signed by DIGICERT_ROOT_CA, expires 22 Oct 2028
+    // Microsoft IT TLS CA 4, signed by Baltimore CyberTrust Root, expires May 20, 2024
      {
          std::string raw_base64 = std::string(
              "-----BEGIN CERTIFICATE-----\n"
-            "MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs\n"
-            "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
-            "d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j\n"
-            "ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL\n"
-            "MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3\n"
-            "LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy\n"
-            "YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2\n"
-            "4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC\n"
-            "Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1\n"
-            "itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn\n"
-            "4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X\n"
-            "sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft\n"
-            "bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA\n"
-            "MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw\n"
-            "NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy\n"
-            "dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t\n"
-            "L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG\n"
-            "BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ\n"
-            "UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D\n"
-            "aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd\n"
-            "aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH\n"
-            "E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly\n"
-            "/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu\n"
-            "xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF\n"
-            "0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae\n"
-            "cPUeybQ=\n"
+            "MIIFtDCCBJygAwIBAgIQC2qzsD6xqfbEYJJqqM3+szANBgkqhkiG9w0BAQsFADBa\n"
+            "MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl\n"
+            "clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE2\n"
+            "MDUyMDEyNTIzOFoXDTI0MDUyMDEyNTIzOFowgYsxCzAJBgNVBAYTAlVTMRMwEQYD\n"
+            "VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy\n"
+            "b3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UE\n"
+            "AxMVTWljcm9zb2Z0IElUIFRMUyBDQSA0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n"
+            "MIICCgKCAgEAq+XrXaNrOZ71NIgSux1SJl19CQvGeY6rtw7fGbLd7g/27vRW5Ebi\n"
+            "kg/iZwvjHHGk1EFztMuZFo6/d32wrx5s7XEuwwh3Sl6Sruxa0EiB0MXpoPV6jx6N\n"
+            "XtOtksDaxpE1MSC5OQTNECo8lx0AnpkYGAnPS5fkyfwA8AxanTboskDBSqyEKKo9\n"
+            "Rhgrp4qs9K9LqH5JQsdiIMDmpztd65Afu4rYnJDjOrFswpTOPjJry3GzQS65xeFd\n"
+            "2FkngvvhSA1+6ATx+QEnQfqUWn3FMLu2utcRm4j6AcxuS5K5+Hg8y5xomhZmiNCT\n"
+            "sCqDLpcRHX6BIGHksLmbnG5TlZUixtm9dRC62XWMPD8d0Jb4M0V7ex9UM+VIl6cF\n"
+            "JKLb0dyVriAqfZaJSHuSetAksd5IEfdnPLTf+Fhg9U97NGjm/awmCLbzLEPbT8QW\n"
+            "0JsMcYexB2uG3Y+gsftm2tjL6fLwZeWO2BzqL7otZPFe0BtQsgyFSs87yC4qanWM\n"
+            "wK5c2enAfH182pzjvUqwYAeCK31dyBCvLmKM3Jr94dm5WUiXQhrDUIELH4Mia+Sb\n"
+            "vCkigv2AUVx1Xw41wt1/L3pnnz2OW4y7r530zAz7qB+dIcHz51IaXc4UV21QuEnu\n"
+            "sQsn0uJpJxJuxsAmPuekKxuLUzgG+hqHOuBLf5kWTlk9WWnxcadlZRsCAwEAAaOC\n"
+            "AUIwggE+MB0GA1UdDgQWBBR6e4zBz+egyhzUa/r74TPDDxqinTAfBgNVHSMEGDAW\n"
+            "gBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud\n"
+            "DwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF\n"
+            "BwMJMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln\n"
+            "aWNlcnQuY29tMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0\n"
+            "LmNvbS9PbW5pcm9vdDIwMjUuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsG\n"
+            "AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEB\n"
+            "CwUAA4IBAQAR/nIGOiEKN27I9SkiAmKeRQ7t+gaf77+eJDUX/jmIsrsB4Xjf0YuX\n"
+            "/bd38YpyT0k66LMp13SH5LnzF2CHiJJVgr3ZfRNIfwaQOolm552W95XNYA/X4cr2\n"
+            "du76mzVIoZh90pMqT4EWx6iWu9El86ZvUNoAmyqo9DUA4/0sO+3lFZt/Fg/Hjsk2\n"
+            "IJTwHQG5ElBQmYHgKEIsjnj/7cae1eTK6aCqs0hPpF/kixj/EwItkBE2GGYoOiKa\n"
+            "3pXxWe6fbSoXdZNQwwUS1d5ktLa829d2Wf6l1uVW4f5GXDuK+OwO++8SkJHOIBKB\n"
+            "ujxS43/jQPQMQSBmhxjaMmng9tyPKPK9\n"
              "-----END CERTIFICATE-----\n");
-        cm[RawCertificateID::DIGICERT_IM_CA].raw_base64 = raw_base64;
-        cm[RawCertificateID::DIGICERT_IM_CA].certPtr = createCert(raw_base64);
+        cm[RawCertificateID::MS_IT_TLS_CA_4].raw_base64 = raw_base64;
+        cm[RawCertificateID::MS_IT_TLS_CA_4].certPtr = createCert(raw_base64);
      }
  
-    // FACEBOOK_COM, *.facebook.com - signed by DIGICERT_IM_CA, expires 22 Mar 2019
+    // www.microsoft.com - signed by Microsoft IT TLS CA 4, expires January 16, 2020
      {
          std::string raw_base64 = std::string(
              "-----BEGIN CERTIFICATE-----\n"
-            "MIIGsjCCBZqgAwIBAgIQCzw7YBoY9Z7itrsFYF7ywDANBgkqhkiG9w0BAQsFADBw\n"
-            "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
-            "d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz\n"
-            "dXJhbmNlIFNlcnZlciBDQTAeFw0xNzEyMTUwMDAwMDBaFw0xOTAzMjIxMjAwMDBa\n"
-            "MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpN\n"
-            "ZW5sbyBQYXJrMRcwFQYDVQQKEw5GYWNlYm9vaywgSW5jLjEXMBUGA1UEAwwOKi5m\n"
-            "YWNlYm9vay5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASIA87IjqqM6JBX\n"
-            "puN20BXCVsDjoP9wnF2rSV60qC130oLTrgfOQ3Uk1dv1R6LFCx4gs2pJUu6iDKBS\n"
-            "/b+BXOUbo4IEGDCCBBQwHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjsw\n"
-            "HQYDVR0OBBYEFMD9dPV9y8Yn8QPTYqJF14QcFSEIMIHHBgNVHREEgb8wgbyCDiou\n"
-            "ZmFjZWJvb2suY29tgg4qLnh4LmZiY2RuLm5ldIILKi5mYnNieC5jb22CDioueHou\n"
-            "ZmJjZG4ubmV0gg4qLmZhY2Vib29rLm5ldIIOKi54eS5mYmNkbi5uZXSCDyoubWVz\n"
-            "c2VuZ2VyLmNvbYIGZmIuY29tggsqLmZiY2RuLm5ldIIIKi5mYi5jb22CECoubS5m\n"
-            "YWNlYm9vay5jb22CDW1lc3Nlbmdlci5jb22CDGZhY2Vib29rLmNvbTAOBgNVHQ8B\n"
-            "Af8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRu\n"
-            "MGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZl\n"
-            "ci1nNi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWhh\n"
-            "LXNlcnZlci1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEF\n"
-            "BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwgYMG\n"
-            "CCsGAQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu\n"
-            "Y29tME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln\n"
-            "aUNlcnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA\n"
-            "MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY\n"
-            "BPkb37jjd80OyA3cEAAAAWBXnEHoAAAEAwBHMEUCIBC3Rn4i2bhLyR344u3vl7be\n"
-            "vxoi+WPJBhGT+j1gJmg5AiEAwQ3rzH1mmMSYNYKtVNDZMo+l6e8Z35t+X9NDR7Du\n"
-            "gWAAdwCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWBXnEL7AAAE\n"
-            "AwBIMEYCIQCRjvvPARW3J1ENmo2Nz1cxisa1BcbDuqvSrfuXkz8btAIhAPmllqgF\n"
-            "8JjlVHUChiFzghsKVBeTxRagi55tgsAciaoZAHUAu9nfvB+KcbWTlCOXqpJ7RzhX\n"
-            "lQqrUugakJZkNo4e0YUAAAFgV5xCUgAABAMARjBEAiBY6qdNgMoQAqVTl3zRrTmy\n"
-            "+X/1f/esBUczsb3MWdZ1ZgIgXdxZNTrDBgyTzxgbVRObkqU3tZZdaiwsw4WI0xI0\n"
-            "BtQwDQYJKoZIhvcNAQELBQADggEBAGu0uxZD+IRXXlFWLPvknRkXA7J08NyVKG70\n"
-            "M2vDi2xF2YB8qlZgoxW8YiiV86IpwtOhYLZinSO0iCBDQmTf627LTPfuDcF6qOuO\n"
-            "WFTvj1IbplPvGWIu5tNBiFWNQxFAIL2Rf+5vmIe+YezUHTLGGqwRtFa2ImS17IMk\n"
-            "YjZ90LYXXO5qb1RKkFJtAvEBTbJsv8kr+J6Rx+YNJy17LnBX+MbWiyBbvUQoM3sY\n"
-            "MmcWmcaQmECz9ZHWYjZeufSHbHKG6KDYLU8x6DyhgtxK2rsoIMlNnJkNHaLjw+b8\n"
-            "7VCYa+EMWppvVuNyXOk9Jkbx7Q3SEoodT77kkHUX0bF2OkZy6cc=\n"
+            "MIIHnzCCBYegAwIBAgITFgAAoiZScXH3VKzEFgAAAACiJjANBgkqhkiG9w0BAQsF\n"
+            "ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT\n"
+            "B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE\n"
+            "CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDQw\n"
+            "HhcNMTgwMTE2MjEyNDAyWhcNMjAwMTE2MjEyNDAyWjCBiDELMAkGA1UEBhMCVVMx\n"
+            "CzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv\n"
+            "ZnQgQ29ycG9yYXRpb24xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEa\n"
+            "MBgGA1UEAxMRd3d3Lm1pY3Jvc29mdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
+            "DwAwggEKAoIBAQDM6uKEPBupNS4BXRWdhU6RzawVP27lFo4eiAOloEHaXYM1DoPU\n"
+            "Jxxt+uyhwkk8yIZFKLK9AKX0qtqTVFOh3TFk77uGJKlfyugpVs+5sGGffhd0y2cG\n"
+            "SyOltJLcf/v31tRjeN/xNi9CeHtcK46ksqgp9kdTDd1IuxDO9fN45LRPZkRuOpNy\n"
+            "yXAHlMyVDO4Xfgt8CYH/ssmr1ZqYr98dO9iAiU+eFrz6huBCAJfFzMXWznbpwrsd\n"
+            "41TjE5zPJkHaB9BOKuLZySfEQhIRewexFtJXlT88Kj6SfIoe2naZxqDW/tQVVzRx\n"
+            "ID092mXdVEjL2MZ6GocNk1pPezqY8wOUjgA7AgMBAAGjggL7MIIC9zCBmQYDVR0R\n"
+            "BIGRMIGOghVwcml2YWN5Lm1pY3Jvc29mdC5jb22CEWMucy1taWNyb3NvZnQuY29t\n"
+            "gg1taWNyb3NvZnQuY29tghFpLnMtbWljcm9zb2Z0LmNvbYIYc3RhdGljdmlldy5t\n"
+            "aWNyb3NvZnQuY29tghF3d3cubWljcm9zb2Z0LmNvbYITd3d3cWEubWljcm9zb2Z0\n"
+            "LmNvbTAdBgNVHQ4EFgQUMqJLlf7sAXZDo1IX+BIPkeyx9OcwHwYDVR0jBBgwFoAU\n"
+            "enuMwc/noMoc1Gv6++Ezww8aop0wgawGA1UdHwSBpDCBoTCBnqCBm6CBmIZLaHR0\n"
+            "cDovL21zY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0\n"
+            "JTIwSVQlMjBUTFMlMjBDQSUyMDQuY3JshklodHRwOi8vY3JsLm1pY3Jvc29mdC5j\n"
+            "b20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDQu\n"
+            "Y3JsMIGFBggrBgEFBQcBAQR5MHcwUQYIKwYBBQUHMAKGRWh0dHA6Ly93d3cubWlj\n"
+            "cm9zb2Z0LmNvbS9wa2kvbXNjb3JwL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0El\n"
+            "MjA0LmNydDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AubXNvY3NwLmNvbTA+Bgkr\n"
+            "BgEEAYI3FQcEMTAvBicrBgEEAYI3FQiH2oZ1g+7ZAYLJhRuBtZ5hhfTrYIFdhNLf\n"
+            "QoLnk3oCAWQCARowHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAsGA1Ud\n"
+            "DwQEAwIEsDBNBgNVHSAERjBEMEIGCSsGAQQBgjcqATA1MDMGCCsGAQUFBwIBFido\n"
+            "dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcHMwJwYJKwYBBAGC\n"
+            "NxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC\n"
+            "AgEAZQDBGHkYWARoiApsKcns0lfEuovFuh9CQ3ZMVTDjDhvls0IcuddtEvETXdB+\n"
+            "h8+vgIx4jC7SmsRrpEH28X06qEZCMd1vPP/rEI9ZYwAnzabB/HRkGsPHv/hkjVbh\n"
+            "csqYVkPyD9MYc+cgRE0Nggh+l2fIuSxrMvFw0iLsE/7ZkyiZFWfLkddu/be7gjoY\n"
+            "IbNyS6E2HQkHlexz9QBUMHERUYBuqey+c1l45WTgLJUWsqeIZJ01oekLkdkR4tg1\n"
+            "pZbnFjDeRBqFLnUU1RMHlgKodJYPMzBCkZGRk0mCZJDJcZv62HNdT/Zuz4yHLz6K\n"
+            "QcjpVZacYyqeBBqJtus5zSJKP8l9MqZYbihsmAlXZdeXPwiB+YEeGGEGi2iDV39e\n"
+            "Ss6rPCL1BYZ5kvfoBdSfTAPmviK4ezCUuBL/k4YulsrquoAC/Sz+xFVEBK+qdYXc\n"
+            "zxgFMxXnx6XjxkKGYrf33g6e/9XexHsyWolQhrmbZE3GrTmH9hbqh0bg+95qhk0o\n"
+            "q+iDWy3Lj5ZnexabBg/r+szxTNmPp0LIvMcM1YW9hkAyDYuDSB0Yee/p+ByJUeMI\n"
+            "T55F/YO/Qtqc7Z2vNvnq/229nly2lg8AVwDliH30hloIffEXMY3xJWwDUG6Uj++g\n"
+            "+838tBwUOF9wrBIwh9pI8EQLW9HUROzSg8ALy7tgVWuowFo=\n"
              "-----END CERTIFICATE-----\n");
-        cm[RawCertificateID::FACEBOOK_COM].raw_base64 = raw_base64;
-        cm[RawCertificateID::FACEBOOK_COM].certPtr = createCert(raw_base64);
+        cm[RawCertificateID::MICROSOFT_COM].raw_base64 = raw_base64;
+        cm[RawCertificateID::MICROSOFT_COM].certPtr = createCert(raw_base64);
      }
  
      return cm;
diff --git a/src/ckm/unprivileged/CMakeLists.txt b/src/ckm/unprivileged/CMakeLists.txt

index 6efdfbe..14a8973 100644 (file)
--- a/src/ckm/unprivileged/CMakeLists.txt
+++ b/src/ckm/unprivileged/CMakeLists.txt
@@ -23,6 +23,7 @@ SET(CKM_SOURCES
      capi-testcases.cpp
      encryption-decryption-env.cpp
      encryption-decryption.cpp
+    sign-verify.cpp
      main.cpp
  )
  
diff --git a/src/ckm/unprivileged/async-api.cpp b/src/ckm/unprivileged/async-api.cpp

index 38b73a5..e768a00 100644 (file)
--- a/src/ckm/unprivileged/async-api.cpp
+++ b/src/ckm/unprivileged/async-api.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Contact: Bumjin Im <bj.im@samsung.com>
   *
@@ -329,8 +329,8 @@ void test_negative(F&& func, int expected, Args... args)
      RUNNER_ASSERT_MSG(obs->m_finished, "Request is not finished!");
      RUNNER_ASSERT_MSG(
              obs->m_error == expected,
-            "Expected " << expected << "/" << CKMErrorToString(expected) <<
-            " got: " << obs->m_error << "/" << CKMErrorToString(obs->m_error));
+            "Expected " << expected << "/" << APICodeToString(expected) <<
+            " got: " << obs->m_error << "/" << APICodeToString(obs->m_error));
  }
  
  template <typename F, typename... Args>
@@ -350,7 +350,7 @@ MyObserverPtr test_positive(F&& func, Args... args)
  
      RUNNER_ASSERT_MSG(obs->m_finished, "Request is not finished!");
      RUNNER_ASSERT_MSG(obs->m_error == 0,
-                         "Request failed " << obs->m_error << "/" << CKMErrorToString(obs->m_error));
+                         "Request failed " << obs->m_error << "/" << APICodeToString(obs->m_error));
      return obs;
  }
  
diff --git a/src/ckm/unprivileged/capi-testcases.cpp b/src/ckm/unprivileged/capi-testcases.cpp

index 757826f..0e0cfca 100644 (file)
--- a/src/ckm/unprivileged/capi-testcases.cpp
+++ b/src/ckm/unprivileged/capi-testcases.cpp
@@ -779,7 +779,8 @@ RUNNER_TEST(T3044_remove_bin_data_C_API)
  
  RUNNER_TEST(T3045_save_big_data_C_API, RemoveDataEnv<USER_APP>)
  {
-       const size_t BIG_SIZE = 5000000;
+       // We don't know which backend will be used
+       const size_t BIG_SIZE = 100000;
  
         std::vector<char> big_data(BIG_SIZE);
         std::ifstream is("/dev/urandom", std::ifstream::binary);
diff --git a/src/ckm/unprivileged/encryption-decryption.cpp b/src/ckm/unprivileged/encryption-decryption.cpp

index 76f1c92..c183c81 100644 (file)
--- a/src/ckm/unprivileged/encryption-decryption.cpp
+++ b/src/ckm/unprivileged/encryption-decryption.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2000 - 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2000 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -22,12 +22,12 @@
  
  #include <string>
  #include <vector>
-#include <map>
-#include <sstream>
+#include <unordered_map>
  
  #include <dpl/test/test_runner.h>
  #include <ckm-common.h>
  #include <ckmc/ckmc-manager.h>
+#include <ckmc/ckmc-control.h>
  #include <ckm/ckm-type.h>
  #include <ckm/ckm-manager.h>
  #include <encryption-decryption-env.h>
@@ -57,24 +57,6 @@ EncryptionError apiEncrypt(ckmc_param_list_h params,
      return g_api->encrypt(params, key_alias, password, decrypted, ppencrypted);
  }
  
-// Policy backend to use in subsequent operations (global for each test case)
-PolicyBackend g_backend = PolicyBackend::DEFAULT;
-
-class testBackend {
-public:
-    testBackend(PolicyBackend backend){
-        m_backend = g_backend;
-        g_backend = backend;
-    }
-
-    virtual ~testBackend(){
-        //restore in destructor
-        g_backend = m_backend;
-    }
-private:
-    PolicyBackend m_backend;
-};
-
  inline CKM::Password _tostring(const char *str)
  {
      return (str == nullptr) ? Password() : Password(str);
@@ -127,167 +109,184 @@ struct KeyAliasPair
      Alias pub;
  };
  
-class EncEnv : public RemoveDataEnv<UID> {
-public:
-    EncEnv() : m_dbu(NULL) {}
-    ~EncEnv() { delete m_dbu; }
-
-    void init(const std::string& str) {
-        RemoveDataEnv<UID>::init(str);
-        m_dbu = new ScopedDBUnlock(UID, "db-pass"); // unlock user's database
+struct SyncEnv {
+    void init(const std::string&) {
+        g_api = &g_syncApi;
      }
  
      void finish() {
-        delete m_dbu;
-        m_dbu = NULL;
-        RemoveDataEnv<UID>::finish();
-        g_api = NULL;
-    }
-
-    ScopedDBUnlock* m_dbu;
-};
-
-struct SyncEnv : public EncEnv {
-    void init(const std::string& str) {
-        EncEnv::init(str);
-        g_api = &g_syncApi;
+        g_api = nullptr;
      }
  
      static std::string suffix() { return "_sync"; }
  };
  
-struct AsyncEnv : public EncEnv {
-    void init(const std::string& str) {
-        EncEnv::init(str);
+struct AsyncEnv {
+    void init(const std::string&) {
          g_api = &g_asyncApi;
      }
  
+    void finish() {
+        g_api = nullptr;
+    }
+
      static std::string suffix() { return "_async"; }
  };
  
-struct AlgoBase {
-    ckmc_algo_type_e m_type;
-    size_t m_keyLen;
-
-    AlgoBase(ckmc_algo_type_e type, size_t keyLen) : m_type(type), m_keyLen(keyLen) {}
-
-    virtual KeyAliasPair keyGen(const char* pass = nullptr, const char* suffix = nullptr) = 0;
+struct Algo {
+    ckmc_algo_type_e type;
+    size_t keyLen;
  };
  
-typedef std::shared_ptr<AlgoBase> AlgoBasePtr;
+std::unordered_map<size_t, std::vector<Alias>> g_symKeys;
+std::unordered_map<size_t, std::vector<KeyAliasPair>> g_asymKeys;
  
-template <typename T>
-AlgoBasePtr createAlgo(ckmc_algo_type_e type, size_t keyLen) {
-    return AlgoBasePtr(new T(type, keyLen));
-}
+enum KeyIdx {
+    PRIMARY = 0,
+    PASSWORD_PROTECTED = 1,
  
-struct AlgoAes : public AlgoBase {
-    AlgoAes(ckmc_algo_type_e type, size_t keyLen) : AlgoBase(type, keyLen) {}
-    KeyAliasPair keyGen(const char* pass = nullptr, const char* suffix = nullptr);
+    KEY_IDX_MAX
  };
  
-KeyAliasPair AlgoAes::keyGen(const char* pass, const char* suffix)
-{
-    KeyAliasPair aliases;
-    std::ostringstream oss;
-    std::string ownerId = getOwnerIdFromSelf();
-    CharPtr passPtr(nullptr, free);
-    if (pass)
-        passPtr.reset(strdup(pass));
+RawBufferPtr PLAIN_DATA;
+RawBufferPtr BIG_DATA;
+ckmc_raw_buffer_s* DEFAULT_IV;
+ckmc_raw_buffer_s* IV11;
+ckmc_raw_buffer_s* IV12;
+ckmc_raw_buffer_s* IV15;
+ckmc_raw_buffer_s* IV17;
+ckmc_raw_buffer_s* IV128;
+ckmc_raw_buffer_s* AAD32;
+ckmc_raw_buffer_s* AAD64;
  
-    oss << "aes_" << static_cast<int>(m_type) << "_" << m_keyLen << "_key_alias";
-    if (suffix)
-        oss << suffix;
-    aliases.prv = aliasWithLabel(ownerId.c_str(),oss.str().c_str());
-    aliases.pub = aliasWithLabel(ownerId.c_str(), oss.str().c_str());
+KeyAliasPair getKey(const Algo& algo, KeyIdx idx)
+{
+    if (algo.type == CKMC_ALGO_RSA_OAEP)
+        return g_asymKeys[algo.keyLen][idx];
  
-    ckmc_policy_s policy;
-    policy.extractable = false;
-    policy.password = passPtr.get();
+    KeyAliasPair pair;
+    pair.prv = g_symKeys[algo.keyLen][idx];
+    pair.pub = pair.prv;
+    return pair;
+}
  
-    auto mgr = CKM::Manager::create();
-    RUNNER_ASSERT_MSG(CKM_API_SUCCESS == mgr->createKeyAES(m_keyLen, Alias(aliases.prv.c_str()),
-                        _toCkmPolicy(policy, g_backend)),
-                        "AES key creation failed");
+class EncGroupFixture: public DPL::Test::TestGroup
+{
+public:
+    void Init() override
+    {
+        remove_user_data(UID);
+        int ret = ckmc_unlock_user_key(UID, "db-pass");
+        if (ret != CKMC_ERROR_NONE)
+            RUNNER_ERROR_MSG("DB unlock failed: " << CKMCErrorToString(ret));
+
+        // Policy backend to use in subsequent operations (global for each test case)
+#ifdef TZ_BACKEND
+        m_backend = PolicyBackend::FORCE_HARDWARE;
+#else
+        m_backend = PolicyBackend::FORCE_SOFTWARE;
+#endif
+
+        // generate keys
+        m_manager = Manager::create();
+        generateSymmetricKeys(128);
+        generateSymmetricKeys(192);
+        generateSymmetricKeys(256);
+        generateRsaKeys(1024);
+        generateRsaKeys(2048);
+        generateRsaKeys(4096);
+
+        PLAIN_DATA = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
+#ifdef TZ_BACKEND
+        BIG_DATA = create_raw_buffer(createRandomBufferCAPI(1000));
+#else
+        BIG_DATA = create_raw_buffer(createRandomBufferCAPI(5000000));
+#endif
+        DEFAULT_IV = createRandomBufferCAPI(DEFAULT_IV_LEN);
+        IV11 = createRandomBufferCAPI(11);
+        IV12 = createRandomBufferCAPI(12);
+        IV15 = createRandomBufferCAPI(15);
+        IV17 = createRandomBufferCAPI(17);
+        IV128 = createRandomBufferCAPI(128);
+        AAD32 = createRandomBufferCAPI(32);
+        AAD64 = createRandomBufferCAPI(64);
+    }
  
-    return aliases;
-}
+    void generateSymmetricKeys(size_t bitLen)
+    {
+        for (int i = 0; i < KEY_IDX_MAX; i++)
+        {
+            Policy p(Password(), false, m_backend);
+            if (i == PASSWORD_PROTECTED)
+                p.password.assign(PASSWORD);
+
+            std::string alias = std::string("skey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i);
+            int ret = m_manager->createKeyAES(bitLen, alias, p);
+            if (ret != CKM_API_SUCCESS)
+                RUNNER_ERROR_MSG("AES key creation failed");
+
+            g_symKeys[bitLen].push_back(alias);
+        }
+    }
  
-struct AlgoRsa : public AlgoBase {
-    AlgoRsa(ckmc_algo_type_e type, size_t keyLen) : AlgoBase(type, keyLen) {}
-    KeyAliasPair keyGen(const char* pass = nullptr, const char* suffix = nullptr);
-};
+    void generateRsaKeys(size_t bitLen)
+    {
+        for (int i = 0; i < KEY_IDX_MAX; i++)
+        {
+            Policy prvPolicy(Password(), false, m_backend);
+            Policy pubPolicy(Password(), true, m_backend);
+            if (i == PASSWORD_PROTECTED) {
+                prvPolicy.password.assign(PASSWORD);
+                pubPolicy.password.assign(PASSWORD);
+            }
+
+            KeyAliasPair alias;
+            alias.prv = std::string("akey_") + std::to_string(bitLen) + std::string("_") + std::to_string(i);
+            alias.pub = std::string("pub") + alias.prv;
+            int ret = m_manager->createKeyPairRSA(bitLen, alias.prv, alias.pub, prvPolicy, pubPolicy);
+            if (ret != CKM_API_SUCCESS)
+                RUNNER_ERROR_MSG("RSA key creation failed");
+
+            g_asymKeys[bitLen].push_back(alias);
+        }
+    }
  
-KeyAliasPair AlgoRsa::keyGen(const char* pass, const char* suffix)
-{
-    std::ostringstream oss_prv, oss_pub;
-    oss_prv << "rsa_oaep_prv_alias_" << m_keyLen;
-    oss_pub << "rsa_oaep_pub_alias_" << m_keyLen;
-    if (suffix) {
-        oss_prv << suffix;
-        oss_pub << suffix;
+    void Finish() override
+    {
+        for (const auto &entry : g_asymKeys) {
+            for (const auto &keyPair : entry.second) {
+                m_manager->removeAlias(keyPair.prv);
+                m_manager->removeAlias(keyPair.pub);
+            }
+        }
+
+        for (const auto &entry : g_symKeys) {
+            for (const auto &key : entry.second) {
+                m_manager->removeAlias(key);
+            }
+        }
+
+        BIG_DATA.reset();
+        PLAIN_DATA.reset();
+        ckmc_buffer_free(AAD64);
+        ckmc_buffer_free(AAD32);
+        ckmc_buffer_free(IV128);
+        ckmc_buffer_free(IV17);
+        ckmc_buffer_free(IV15);
+        ckmc_buffer_free(IV12);
+        ckmc_buffer_free(IV11);
+        ckmc_buffer_free(DEFAULT_IV);
+
+        int ret = ckmc_lock_user_key(UID);
+        if (ret != CKMC_ERROR_NONE)
+            RUNNER_ERROR_MSG("DB lock failed: " << CKMCErrorToString(ret));
+        remove_user_data(UID);
      }
-    KeyAliasPair aliases = {
-            aliasWithLabel(getOwnerIdFromSelf().c_str(), oss_prv.str().c_str()),
-            aliasWithLabel(getOwnerIdFromSelf().c_str(), oss_pub.str().c_str())
-    };
-    CharPtr passPtr(nullptr, free);
-    if (pass)
-        passPtr.reset(strdup(pass));
-
-    ckmc_policy_s policyPrv;
-    policyPrv.password = passPtr.get();
-    policyPrv.extractable = 0;
-
-    ckmc_policy_s policyPub;
-    policyPub.password = passPtr.get();
-    policyPub.extractable = 0;
-
-    auto mgr = CKM::Manager::create();
-
-    RUNNER_ASSERT_MSG(CKM_API_SUCCESS == mgr->createKeyPairRSA(static_cast<int>(m_keyLen),
-                                                CKM::Alias(aliases.prv.c_str()),
-                                                CKM::Alias(aliases.pub.c_str()),
-                                                _toCkmPolicy(policyPrv, g_backend),
-                                                _toCkmPolicy(policyPub, g_backend)), "RSA key pair generation failed" );
-    return aliases;
-}
-
-enum Algorithm {
-    AES_CBC_128,
-    AES_CBC_192,
-    AES_CBC_256,
-    AES_GCM_128,
-    AES_GCM_192,
-    AES_GCM_256,
-    AES_CTR_128,
-    AES_CTR_192,
-    AES_CTR_256,
-    AES_CFB_128,
-    AES_CFB_192,
-    AES_CFB_256,
-    RSA_OAEP_1024,
-    RSA_OAEP_2048,
-    RSA_OAEP_4096,
+private:
+    ManagerShPtr m_manager;
+    PolicyBackend m_backend;
  };
  
-std::map<Algorithm, AlgoBasePtr> g_algorithms = {
-        { AES_CBC_128, createAlgo<AlgoAes>(CKMC_ALGO_AES_CBC, 128) },
-        { AES_CBC_192, createAlgo<AlgoAes>(CKMC_ALGO_AES_CBC, 192) },
-        { AES_CBC_256, createAlgo<AlgoAes>(CKMC_ALGO_AES_CBC, 256) },
-        { AES_GCM_128, createAlgo<AlgoAes>(CKMC_ALGO_AES_GCM, 128) },
-        { AES_GCM_192, createAlgo<AlgoAes>(CKMC_ALGO_AES_GCM, 192) },
-        { AES_GCM_256, createAlgo<AlgoAes>(CKMC_ALGO_AES_GCM, 256) },
-        { AES_CTR_128, createAlgo<AlgoAes>(CKMC_ALGO_AES_CTR, 128) },
-        { AES_CTR_192, createAlgo<AlgoAes>(CKMC_ALGO_AES_CTR, 192) },
-        { AES_CTR_256, createAlgo<AlgoAes>(CKMC_ALGO_AES_CTR, 256) },
-        { AES_CFB_128, createAlgo<AlgoAes>(CKMC_ALGO_AES_CFB, 128) },
-        { AES_CFB_192, createAlgo<AlgoAes>(CKMC_ALGO_AES_CFB, 192) },
-        { AES_CFB_256, createAlgo<AlgoAes>(CKMC_ALGO_AES_CFB, 256) },
-        { RSA_OAEP_1024, createAlgo<AlgoRsa>(CKMC_ALGO_RSA_OAEP, 1024) },
-        { RSA_OAEP_2048, createAlgo<AlgoRsa>(CKMC_ALGO_RSA_OAEP, 2048) },
-        { RSA_OAEP_4096, createAlgo<AlgoRsa>(CKMC_ALGO_RSA_OAEP, 4096) },
-};
  
  void setParam(ParamListPtr& params, ckmc_param_name_e name, ckmc_raw_buffer_s* buffer)
  {
@@ -311,18 +310,18 @@ struct EncryptionResult
      Alias pubKey;
  };
  
-EncryptionResult encrypt(const AlgoBasePtr& algo,
+EncryptionResult encrypt(const Algo& algo,
                           const RawBufferPtr& plain,
                           const char* pass = nullptr)
  {
      EncryptionResult ret;
      ckmc_raw_buffer_s* encrypted = nullptr;
-    KeyAliasPair aliases = algo->keyGen(pass);
+    KeyAliasPair aliases = getKey(algo, pass == nullptr ? PRIMARY : PASSWORD_PROTECTED);
  
      ckmc_param_list_h handle = NULL;
-    assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+    assert_positive(ckmc_generate_new_params, algo.type, &handle);
      ret.params = ParamListPtr(handle, ckmc_param_list_free);
-    setParam(ret.params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+    setParam(ret.params, CKMC_PARAM_ED_IV, DEFAULT_IV);
  
      assert_crypto_positive(apiEncrypt,
                             ret.params.get(),
@@ -338,48 +337,55 @@ EncryptionResult encrypt(const AlgoBasePtr& algo,
  }
  
  void testAllAlgorithms(
-        const std::function<void(const AlgoBasePtr& algo)>& test)
-{
-    for(const auto& it : g_algorithms)
-        test(it.second);
-}
-
-void testNoIvEnc(Algorithm type)
+        const std::function<void(const Algo& algo)>& test)
+{
+    test( { CKMC_ALGO_AES_CBC, 128 });
+    test( { CKMC_ALGO_AES_CBC, 192 });
+    test( { CKMC_ALGO_AES_CBC, 256 });
+    test( { CKMC_ALGO_AES_GCM, 128 });
+    test( { CKMC_ALGO_AES_GCM, 192 });
+    test( { CKMC_ALGO_AES_GCM, 256 });
+    test( { CKMC_ALGO_AES_CTR, 128 });
+    test( { CKMC_ALGO_AES_CTR, 192 });
+    test( { CKMC_ALGO_AES_CTR, 256 });
+    test( { CKMC_ALGO_AES_CFB, 128 });
+    test( { CKMC_ALGO_AES_CFB, 192 });
+    test( { CKMC_ALGO_AES_CFB, 256 });
+    test( { CKMC_ALGO_RSA_OAEP, 1024 });
+    test( { CKMC_ALGO_RSA_OAEP, 2048 });
+    test( { CKMC_ALGO_RSA_OAEP, 4096 });
+}
+
+void testNoIvEnc(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* encrypted = nullptr;
  
      // add key
-    KeyAliasPair aliases = algo->keyGen();
+    KeyAliasPair aliases = getKey(algo, PRIMARY);
  
      // param list with algo type only
      ParamListPtr params = createParamListPtr();
-    setParam(params, CKMC_PARAM_ALGO_TYPE, algo->m_type);
+    setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type);
      assert_crypto_invalid_param(apiEncrypt,
                                  params.get(),
                                  aliases.pub.c_str(),
                                  nullptr,
-                                *plain.get(),
+                                *PLAIN_DATA.get(),
                                  &encrypted);
  }
  
-void testNoIvDec(Algorithm type)
+void testNoIvDec(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* decrypted = nullptr;
  
      // encrypt;
-    auto ret = encrypt(algo, plain);
+    auto ret = encrypt(algo, PLAIN_DATA);
  
      // param list with algo type only
      ParamListPtr params = createParamListPtr();
-    setParam(params, CKMC_PARAM_ALGO_TYPE, algo->m_type);
+    setParam(params, CKMC_PARAM_ALGO_TYPE, algo.type);
      assert_crypto_invalid_param(apiDecrypt,
                                  params.get(),
                                  ret.prvKey.c_str(),
@@ -388,20 +394,17 @@ void testNoIvDec(Algorithm type)
                                  &decrypted);
  }
  
-void testInvalidIvEnc(Algorithm type)
+void testInvalidIvEnc(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* encryptedTmp = nullptr;
  
      // add key
-    KeyAliasPair aliases = algo->keyGen();
+    KeyAliasPair aliases = getKey(algo, PRIMARY);
  
      // setup params
      ckmc_param_list_h handle = NULL;
-    assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+    assert_positive(ckmc_generate_new_params, algo.type, &handle);
      ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
  
      // invalid encryption
@@ -410,28 +413,25 @@ void testInvalidIvEnc(Algorithm type)
                                      params.get(),
                                      aliases.pub.c_str(),
                                      nullptr,
-                                    *plain.get(),
+                                    *PLAIN_DATA.get(),
                                      &encryptedTmp);
          ckmc_buffer_free(encryptedTmp);
          encryptedTmp = nullptr;
      };
      // invalid iv size
-    setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN-1));
+    setParam(params, CKMC_PARAM_ED_IV, IV15);
      test();
-    setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN+1));
+    setParam(params, CKMC_PARAM_ED_IV, IV17);
      test();
  };
  
-void testInvalidIvDec(Algorithm type)
+void testInvalidIvDec(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* decrypted = nullptr;
  
      // valid encryption
-    auto ret = encrypt(algo, plain);
+    auto ret = encrypt(algo, PLAIN_DATA);
  
      // decryption
      auto test2 = [&](){
@@ -446,40 +446,37 @@ void testInvalidIvDec(Algorithm type)
      };
  
      // invalid iv size
-    setParam(ret.params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN-1));
+    setParam(ret.params, CKMC_PARAM_ED_IV, IV15);
      test2();
-    setParam(ret.params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN+1));
+    setParam(ret.params, CKMC_PARAM_ED_IV, IV17);
      test2();
  };
  
-void encryptionWithCustomData(Algorithm type, ckmc_param_name_e name)
+void encryptionWithCustomData(const Algo& algo, ckmc_param_name_e name)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* encrypted = nullptr;
      ckmc_raw_buffer_s* decrypted = nullptr;
  
      // add key
-    KeyAliasPair aliases = algo->keyGen();
+    KeyAliasPair aliases = getKey(algo, PRIMARY);
  
      // setup params
      ckmc_param_list_h handle = NULL;
-    assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+    assert_positive(ckmc_generate_new_params, algo.type, &handle);
      ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
  
-    setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+    setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
  
      // set AAD
-    setParam(params, name, createRandomBufferCAPI(64));
+    setParam(params, name, AAD64);
  
      // encrypt
      assert_crypto_positive(apiEncrypt,
                             params.get(),
                             aliases.pub.c_str(),
                             nullptr,
-                           *plain.get(),
+                           *PLAIN_DATA.get(),
                             &encrypted);
      RawBufferPtr tmpEnc = create_raw_buffer(encrypted);
  
@@ -493,12 +490,12 @@ void encryptionWithCustomData(Algorithm type, ckmc_param_name_e name)
      RawBufferPtr tmpDec = create_raw_buffer(decrypted);
  
      // check
-    assert_buffers_equal(*plain.get(), *tmpDec.get());
+    assert_buffers_equal(*PLAIN_DATA.get(), *tmpDec.get());
      tmpDec.reset();
      decrypted = nullptr;
  
      // set wrong AAD
-    setParam(params, name, createRandomBufferCAPI(32));
+    setParam(params, name, AAD32);
  
      // decrypt
      assert_crypto_result(EncryptionError::INVALID_PARAM,
@@ -510,12 +507,11 @@ void encryptionWithCustomData(Algorithm type, ckmc_param_name_e name)
                           &decrypted);
  }
  
-void testGcmIvSize(size_t size,
+void testGcmIvSize(ckmc_raw_buffer_s* iv,
                     const KeyAliasPair& aliases,
                     EncryptionError error = EncryptionError::SUCCESS)
  {
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      RawBufferPtr encrypted;
      RawBufferPtr decrypted;
      ckmc_raw_buffer_s* encryptedTmp = nullptr;
@@ -525,8 +521,8 @@ void testGcmIvSize(size_t size,
      ckmc_param_list_h handle = NULL;
      assert_positive(ckmc_generate_new_params, CKMC_ALGO_AES_GCM, &handle);
      ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
-    setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
-    setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(size));
+    setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
+    setParam(params, CKMC_PARAM_ED_IV, iv);
  
      // encryption
      assert_crypto_result(error,
@@ -534,7 +530,7 @@ void testGcmIvSize(size_t size,
                           params.get(),
                           aliases.pub.c_str(),
                           nullptr,
-                         *plain.get(),
+                         *PLAIN_DATA.get(),
                           &encryptedTmp);
  
      if(error != EncryptionError::SUCCESS)
@@ -550,19 +546,16 @@ void testGcmIvSize(size_t size,
                             &decryptedTmp);
      decrypted = create_raw_buffer(decryptedTmp);
  
-    assert_buffers_equal(*plain.get(), *decrypted.get());
+    assert_buffers_equal(*PLAIN_DATA.get(), *decrypted.get());
  }
  
-void testIntegrity(Algorithm type)
+void testIntegrity(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* decrypted = nullptr;
  
      // encrypt
-    auto ret = encrypt(algo, plain);
+    auto ret = encrypt(algo, PLAIN_DATA);
  
      // break the encrypted data
      ret.encrypted->data[BUF_LEN/2]++;
@@ -576,25 +569,22 @@ void testIntegrity(Algorithm type)
                             &decrypted);
  
      RawBufferPtr tmp = create_raw_buffer(decrypted);
-    assert_buffers_equal(*plain.get(), *decrypted, false);
+    assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false);
  }
  
-void testCtrEncryptionInvalidLength(Algorithm type)
+void testCtrEncryptionInvalidLength(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* encryptedTmp = nullptr;
  
      // add AES CTR key
-    KeyAliasPair aliases = algo->keyGen();
+    KeyAliasPair aliases = getKey(algo, PRIMARY);
  
      // setup params
      ckmc_param_list_h handle = NULL;
-    assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+    assert_positive(ckmc_generate_new_params, algo.type, &handle);
      ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
-    setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+    setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
  
      // encryption
      auto test = [&](){
@@ -602,7 +592,7 @@ void testCtrEncryptionInvalidLength(Algorithm type)
                                      params.get(),
                                      aliases.pub.c_str(),
                                      nullptr,
-                                    *plain.get(),
+                                    *PLAIN_DATA.get(),
                                      &encryptedTmp);
          ckmc_buffer_free(encryptedTmp);
          encryptedTmp = nullptr;
@@ -616,22 +606,19 @@ void testCtrEncryptionInvalidLength(Algorithm type)
      test();
  }
  
-void testCtrEncryptionValidLength(Algorithm type)
+void testCtrEncryptionValidLength(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* encryptedTmp = nullptr;
  
      // add AES CTR key
-    KeyAliasPair aliases = algo->keyGen();
+    KeyAliasPair aliases = getKey(algo, PRIMARY);
  
      // setup params
      ckmc_param_list_h handle = NULL;
-    assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+    assert_positive(ckmc_generate_new_params, algo.type, &handle);
      ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
-    setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+    setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
  
      // encryption
      auto test = [&](){
@@ -639,7 +626,7 @@ void testCtrEncryptionValidLength(Algorithm type)
                                 params.get(),
                                 aliases.pub.c_str(),
                                 nullptr,
-                               *plain.get(),
+                               *PLAIN_DATA.get(),
                                 &encryptedTmp);
          ckmc_buffer_free(encryptedTmp);
          encryptedTmp = nullptr;
@@ -655,16 +642,13 @@ void testCtrEncryptionValidLength(Algorithm type)
      test();
  }
  
-void testCtrDecryptionInvalidLength(Algorithm type)
+void testCtrDecryptionInvalidLength(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* decrypted = nullptr;
  
      // add AES CTR key & encrypt
-    auto ret = encrypt(algo, plain);
+    auto ret = encrypt(algo, PLAIN_DATA);
  
      // decryption
      auto test = [&](){
@@ -686,16 +670,13 @@ void testCtrDecryptionInvalidLength(Algorithm type)
      test();
  }
  
-void testCtrDecryptionValidLength(Algorithm type)
+void testCtrDecryptionValidLength(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* decrypted = nullptr;
  
      // add AES CTR key & encrypt
-    auto ret = encrypt(algo, plain);
+    auto ret = encrypt(algo, PLAIN_DATA);
  
      // decryption
      auto test = [&](){
@@ -707,7 +688,7 @@ void testCtrDecryptionValidLength(Algorithm type)
                                 &decrypted);
          ckmc_buffer_free(decrypted);
          RawBufferPtr tmp = create_raw_buffer(decrypted);
-        assert_buffers_equal(*plain.get(), *decrypted);
+        assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
      };
      // invalid counter size
      setParam(ret.params, CKMC_PARAM_ED_CTR_LEN, 1);
@@ -720,22 +701,19 @@ void testCtrDecryptionValidLength(Algorithm type)
      test();
  }
  
-void testGcmEncryptionTagLen(Algorithm type)
+void testGcmEncryptionTagLen(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* encryptedTmp = nullptr;
  
      // add AES GCM key
-    KeyAliasPair aliases = algo->keyGen();
+    KeyAliasPair aliases = getKey(algo, PRIMARY);
  
      // setup params
      ckmc_param_list_h handle = NULL;
-    assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+    assert_positive(ckmc_generate_new_params, algo.type, &handle);
      ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
-    setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+    setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
  
      std::vector<TagTest> testData = {
              // illegal tag lengths
@@ -749,9 +727,16 @@ void testGcmEncryptionTagLen(Algorithm type)
              { 116,  EncryptionError::INVALID_PARAM },
              { 124,  EncryptionError::INVALID_PARAM },
              { 256,  EncryptionError::INVALID_PARAM },
+#ifdef TZ_BACKEND
+            { 32,   EncryptionError::INVALID_PARAM },
+            { 64,   EncryptionError::INVALID_PARAM },
+            // legal tag lengths
+#else
              // legal tag lengths
              { 32,   EncryptionError::SUCCESS },
              { 64,   EncryptionError::SUCCESS },
+#endif
+
              { 96,   EncryptionError::SUCCESS },
              { 104,  EncryptionError::SUCCESS },
              { 112,  EncryptionError::SUCCESS },
@@ -768,23 +753,20 @@ void testGcmEncryptionTagLen(Algorithm type)
                               params.get(),
                               aliases.pub.c_str(),
                               nullptr,
-                             *plain.get(),
+                             *PLAIN_DATA.get(),
                               &encryptedTmp);
          ckmc_buffer_free(encryptedTmp);
          encryptedTmp = nullptr;
      }
  }
  
-void testGcmDecryptionTagLen(Algorithm type)
+void testGcmDecryptionTagLen(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* decrypted = nullptr;
  
      // add AES GCM key & encrypt
-    auto ret = encrypt(algo, plain);
+    auto ret = encrypt(algo, PLAIN_DATA);
  
      std::vector<TagTest> testData = {
              // illegal tag lengths
@@ -825,16 +807,13 @@ void testGcmDecryptionTagLen(Algorithm type)
      }
  }
  
-void testGcmWrongTag(Algorithm type)
+void testGcmWrongTag(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* decrypted = nullptr;
  
      // encrypt with AES GCM
-    auto ret = encrypt(algo, plain);
+    auto ret = encrypt(algo, PLAIN_DATA);
  
      // modify tag (last 16B of encrypted message)
      ret.encrypted->data[ret.encrypted->size-1]++;
@@ -849,29 +828,24 @@ void testGcmWrongTag(Algorithm type)
                           &decrypted);
  }
  
-void testGcmDifferentIvSizes(Algorithm type)
+void testGcmDifferentIvSizes(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // add AES GCM key
-    KeyAliasPair aliases = algo->keyGen();
+    KeyAliasPair aliases = getKey(algo, PRIMARY);
  
-    testGcmIvSize(11,  aliases, EncryptionError::SERVER_ERROR); // 12B is the smallest
-    testGcmIvSize(12,  aliases);
-    testGcmIvSize(17,  aliases);
-    testGcmIvSize(128, aliases);
+    testGcmIvSize(IV11,  aliases, EncryptionError::SERVER_ERROR); // 12B is the smallest
+    testGcmIvSize(IV12,  aliases);
+    testGcmIvSize(IV17,  aliases);
+    testGcmIvSize(IV128, aliases);
  }
  
-void testEncryptDecryptBigData(Algorithm type)
+void testEncryptDecryptBigData(const Algo& algo)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
-
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(5000000));
      ckmc_raw_buffer_s* decrypted = nullptr;
  
      // encrypt
-    auto ret = encrypt(algo, plain);
+    auto ret = encrypt(algo, BIG_DATA);
  
      assert_positive(apiDecrypt,
                      ret.params.get(),
@@ -881,53 +855,44 @@ void testEncryptDecryptBigData(Algorithm type)
                      &decrypted);
      RawBufferPtr tmp = create_raw_buffer(decrypted);
  
-    assert_buffers_equal(*plain.get(), *decrypted);
+    assert_buffers_equal(*BIG_DATA.get(), *decrypted);
  }
  
-void testEncryptDecryptDifferentKeys(Algorithm type, bool success)
+void testEncryptDecryptDifferentKeys(const Algo& algo, bool success)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
      // prepare buffers
-    RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
      ckmc_raw_buffer_s* decrypted = nullptr;
  
      // encrypt
-    auto ret = encrypt(algo, plain);
+    auto ret = encrypt(algo, PLAIN_DATA);
  
-    // add different key
-    KeyAliasPair differentKeys = algo->keyGen(nullptr, "_wrong");
+    // get different keys
+    KeyAliasPair differentKeys = getKey(algo, PASSWORD_PROTECTED);
  
      if (success) {
          // some algorithms don't verify key validity
          assert_crypto_positive(apiDecrypt,
                                 ret.params.get(),
                                 differentKeys.prv.c_str(),
-                               nullptr,
+                               PASSWORD,
                                 *ret.encrypted.get(),
                                 &decrypted);
          RawBufferPtr tmp = create_raw_buffer(decrypted);
  
-        assert_buffers_equal(*plain.get(), *decrypted, false);
+        assert_buffers_equal(*PLAIN_DATA.get(), *decrypted, false);
      } else {
-               assert_crypto_result(EncryptionError::INVALID_PARAM,
+        assert_crypto_result(EncryptionError::INVALID_PARAM,
                               apiDecrypt,
                               ret.params.get(),
                               differentKeys.prv.c_str(),
-                             nullptr,
+                             PASSWORD,
                               *ret.encrypted.get(),
                               &decrypted);
-       }
-
-    // Cleanup before testing next algorithm. Ignore results because not all keys are present
-    ckmc_remove_alias(ret.prvKey.c_str());
-    ckmc_remove_alias(ret.pubKey.c_str());
-    ckmc_remove_alias(differentKeys.prv.c_str());
-    ckmc_remove_alias(differentKeys.pub.c_str());
+    }
  }
  
-void testRsaLongestData(Algorithm type, size_t dataSize)
+void testRsaLongestData(const Algo& algo, size_t dataSize)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
      // prepare buffers
      RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize));
      ckmc_raw_buffer_s* decrypted = nullptr;
@@ -946,19 +911,18 @@ void testRsaLongestData(Algorithm type, size_t dataSize)
      assert_buffers_equal(*plain.get(), *decrypted);
  }
  
-void testRsaDataTooLong(Algorithm type, size_t dataSize)
+void testRsaDataTooLong(const Algo& algo, size_t dataSize)
  {
-    const AlgoBasePtr& algo = g_algorithms.at(type);
      // prepare buffers
      RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(dataSize));
  
      // encrypt
      EncryptionResult ret;
      ckmc_raw_buffer_s* encrypted = nullptr;
-    KeyAliasPair aliases = algo->keyGen();
+    KeyAliasPair aliases = getKey(algo, PRIMARY);
  
      ckmc_param_list_h handle = NULL;
-    assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+    assert_positive(ckmc_generate_new_params, algo.type, &handle);
      ret.params = ParamListPtr(handle, ckmc_param_list_free);
      assert_crypto_result(EncryptionError::INVALID_PARAM,
                           apiEncrypt,
@@ -971,8 +935,7 @@ void testRsaDataTooLong(Algorithm type, size_t dataSize)
  
  } // namespace anonymous
  
-
-RUNNER_TEST_GROUP_INIT(CKM_ENCRYPTION_DECRYPTION);
+RUNNER_TEST_GROUP_INIT_ENV(CKM_ENCRYPTION_DECRYPTION, EncGroupFixture);
  
  /////////////////////////////////////////
  // Generic encryption decryption tests
@@ -980,20 +943,19 @@ RUNNER_TEST_GROUP_INIT(CKM_ENCRYPTION_DECRYPTION);
  
  RUNNER_TEST_MULTIPLE(TED_0010_encrypt_invalid_param_list, SyncEnv, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
+    testAllAlgorithms([](const Algo& algo){
          // prepare buffers
-        RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
          ckmc_raw_buffer_s* encrypted = nullptr;
  
          // add key
-        KeyAliasPair aliases = algo->keyGen();
+        KeyAliasPair aliases = getKey(algo, PRIMARY);
  
          // null param list
          assert_crypto_invalid_param(apiEncrypt,
                                      nullptr,
                                      aliases.pub.c_str(),
                                      nullptr,
-                                    *plain.get(),
+                                    *PLAIN_DATA.get(),
                                      &encrypted);
  
          // empty param list
@@ -1002,49 +964,48 @@ RUNNER_TEST_MULTIPLE(TED_0010_encrypt_invalid_param_list, SyncEnv, AsyncEnv)
                                      params.get(),
                                      aliases.pub.c_str(),
                                      nullptr,
-                                    *plain.get(),
+                                    *PLAIN_DATA.get(),
                                      &encrypted);
      });
  }
  
  RUNNER_TEST_MULTIPLE(TED_0020_encrypt_missing_key, SyncEnv, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
+    testAllAlgorithms([](const Algo& algo){
          // prepare buffers
-        RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
          ckmc_raw_buffer_s* encrypted = nullptr;
  
          // setup params
          ckmc_param_list_h handle = NULL;
-        assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+        assert_positive(ckmc_generate_new_params, algo.type, &handle);
          ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
-        setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+        setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
  
          assert_crypto_result(EncryptionError::ALIAS_UNKNOWN,
                               apiEncrypt,
                               params.get(),
                               "non-existing-key-alias",
                               nullptr,
-                             *plain.get(),
+                             *PLAIN_DATA.get(),
                               &encrypted);
      });
  }
  
  RUNNER_TEST_MULTIPLE(TED_0030_encrypt_no_plain_text, SyncEnv, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
+    testAllAlgorithms([](const Algo& algo){
          // prepare buffers
          ckmc_raw_buffer_s plain = { nullptr, 0 };
          ckmc_raw_buffer_s* encrypted = nullptr;
  
          // add key
-        KeyAliasPair aliases = algo->keyGen();
+        KeyAliasPair aliases = getKey(algo, PRIMARY);
  
          // setup params
          ckmc_param_list_h handle = NULL;
-        assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+        assert_positive(ckmc_generate_new_params, algo.type, &handle);
          ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
-        setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+        setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
  
          assert_crypto_invalid_param(apiEncrypt,
                                      params.get(),
@@ -1057,38 +1018,36 @@ RUNNER_TEST_MULTIPLE(TED_0030_encrypt_no_plain_text, SyncEnv, AsyncEnv)
  
  RUNNER_TEST_MULTIPLE(TED_0040_encrypt_no_output_buffer, SyncEnv, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
+    testAllAlgorithms([](const Algo& algo){
          // prepare buffers
-        RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
          ckmc_raw_buffer_s** encrypted = nullptr;
  
          // add key
-        KeyAliasPair aliases = algo->keyGen();
+        KeyAliasPair aliases = getKey(algo, PRIMARY);
  
          // setup params
          ckmc_param_list_h handle = NULL;
-        assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+        assert_positive(ckmc_generate_new_params, algo.type, &handle);
          ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
-        setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+        setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
  
          assert_crypto_invalid_param(apiEncrypt,
                                      params.get(),
                                      aliases.pub.c_str(),
                                      nullptr,
-                                    *plain.get(),
+                                    *PLAIN_DATA.get(),
                                      encrypted);
      });
  }
  
  RUNNER_TEST_MULTIPLE(TED_0110_decrypt_invalid_param_list, SyncEnv, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
+    testAllAlgorithms([](const Algo& algo){
          // prepare buffers
-        RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
          ckmc_raw_buffer_s* decrypted = nullptr;
  
          // encrypt;
-        auto ret = encrypt(algo, plain);
+        auto ret = encrypt(algo, PLAIN_DATA);
  
          // null param list
          assert_crypto_invalid_param(apiDecrypt,
@@ -1111,22 +1070,18 @@ RUNNER_TEST_MULTIPLE(TED_0110_decrypt_invalid_param_list, SyncEnv, AsyncEnv)
  
  RUNNER_TEST_MULTIPLE(TED_0120_decrypt_missing_key, SyncEnv, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
+    testAllAlgorithms([](const Algo& algo){
          // prepare buffers
-        RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
          ckmc_raw_buffer_s* decrypted = nullptr;
  
          // encrypt
-        auto ret = encrypt(algo, plain);
-
-        // remove key
-        assert_positive(ckmc_remove_alias, ret.prvKey.c_str());
+        auto ret = encrypt(algo, PLAIN_DATA);
  
          // try to decrypt
          assert_crypto_result(EncryptionError::ALIAS_UNKNOWN,
                               apiDecrypt,
                               ret.params.get(),
-                             ret.prvKey.c_str(),
+                             "non-existent-key",
                               nullptr,
                               *ret.encrypted.get(),
                               &decrypted);
@@ -1135,19 +1090,19 @@ RUNNER_TEST_MULTIPLE(TED_0120_decrypt_missing_key, SyncEnv, AsyncEnv)
  
  RUNNER_TEST_MULTIPLE(TED_0130_decrypt_no_encrypted_text, SyncEnv, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
+    testAllAlgorithms([](const Algo& algo){
          // prepare buffers
          ckmc_raw_buffer_s encrypted = { nullptr, 0 };
          ckmc_raw_buffer_s* decrypted = nullptr;
  
          // add key
-        KeyAliasPair aliases = algo->keyGen();
+        KeyAliasPair aliases = getKey(algo, PRIMARY);
  
          // setup params
          ckmc_param_list_h handle = NULL;
-        assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+        assert_positive(ckmc_generate_new_params, algo.type, &handle);
          ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
-        setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+        setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
  
          assert_crypto_invalid_param(apiDecrypt,
                                      params.get(),
@@ -1160,13 +1115,12 @@ RUNNER_TEST_MULTIPLE(TED_0130_decrypt_no_encrypted_text, SyncEnv, AsyncEnv)
  
  RUNNER_TEST_MULTIPLE(TED_0140_decrypt_no_output_buffer, SyncEnv, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
+    testAllAlgorithms([](const Algo& algo){
          // prepare buffers
-        RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
          ckmc_raw_buffer_s** decrypted = nullptr;
  
          // encrypt
-        auto ret = encrypt(algo, plain);
+        auto ret = encrypt(algo, PLAIN_DATA);
  
          assert_crypto_invalid_param(apiDecrypt,
                                      ret.params.get(),
@@ -1179,33 +1133,28 @@ RUNNER_TEST_MULTIPLE(TED_0140_decrypt_no_output_buffer, SyncEnv, AsyncEnv)
  
  RUNNER_TEST_MULTIPLE(TED_0200_encrypt_decrypt_different_keys, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptDifferentKeys(AES_CBC_128, false);
-    testEncryptDecryptDifferentKeys(AES_CBC_192, false);
-    testEncryptDecryptDifferentKeys(AES_CBC_256, false);
-    testEncryptDecryptDifferentKeys(AES_GCM_128, false);
-    testEncryptDecryptDifferentKeys(AES_GCM_192, false);
-    testEncryptDecryptDifferentKeys(AES_GCM_256, false);
-    testEncryptDecryptDifferentKeys(AES_CTR_128, true);
-    testEncryptDecryptDifferentKeys(AES_CTR_192, true);
-    testEncryptDecryptDifferentKeys(AES_CTR_256, true);
-    testEncryptDecryptDifferentKeys(AES_CFB_128, true);
-    testEncryptDecryptDifferentKeys(AES_CFB_192, true);
-    testEncryptDecryptDifferentKeys(AES_CFB_256, true);
-    testEncryptDecryptDifferentKeys(RSA_OAEP_1024, false);
-    testEncryptDecryptDifferentKeys(RSA_OAEP_2048, false);
-    testEncryptDecryptDifferentKeys(RSA_OAEP_4096, false);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 128}, false);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 192}, false);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_GCM, 256}, false);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 128}, true);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 192}, true);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CTR, 256}, true);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 128}, true);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 192}, true);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_AES_CFB, 256}, true);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 1024}, false);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 2048}, false);
+    testEncryptDecryptDifferentKeys({CKMC_ALGO_RSA_OAEP, 4096}, false);
  }
  
  RUNNER_TEST_MULTIPLE(TED_0300_encrypt_decrypt, SyncEnv, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
+    testAllAlgorithms([](const Algo& algo){
          // prepare buffers
-        RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
          ckmc_raw_buffer_s* decrypted = nullptr;
  
          // encrypt
-        auto ret = encrypt(algo, plain);
+        auto ret = encrypt(algo, PLAIN_DATA);
  
          assert_crypto_positive(apiDecrypt,
                                 ret.params.get(),
@@ -1215,19 +1164,18 @@ RUNNER_TEST_MULTIPLE(TED_0300_encrypt_decrypt, SyncEnv, AsyncEnv)
                                 &decrypted);
          RawBufferPtr tmp = create_raw_buffer(decrypted);
  
-        assert_buffers_equal(*plain.get(), *decrypted);
+        assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
      });
  }
  
  RUNNER_TEST_MULTIPLE(TED_0310_encrypt_decrypt_password, SyncEnv, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
+    testAllAlgorithms([](const Algo& algo){
          // prepare buffers
-        RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
          ckmc_raw_buffer_s* decrypted = nullptr;
  
          // encrypt
-        auto ret = encrypt(algo, plain, PASSWORD);
+        auto ret = encrypt(algo, PLAIN_DATA, PASSWORD);
  
          // wrong password
          assert_crypto_result(EncryptionError::AUTH_FAILED,
@@ -1247,81 +1195,69 @@ RUNNER_TEST_MULTIPLE(TED_0310_encrypt_decrypt_password, SyncEnv, AsyncEnv)
                                 &decrypted);
          RawBufferPtr tmp = create_raw_buffer(decrypted); // guarantees deletion
  
-        assert_buffers_equal(*plain.get(), *decrypted);
+        assert_buffers_equal(*PLAIN_DATA.get(), *decrypted);
      });
  }
  
  // long test split into smaller ones
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cbc_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_128, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_CBC_128);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 128});
  }
  
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cbc_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_192, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_CBC_192);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 192});
  }
  
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cbc_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CBC_256, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_CBC_256);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_CBC, 256});
  }
  
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_gcm_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_128, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_GCM_128);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 128});
  }
  
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_gcm_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_192, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_GCM_192);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 192});
  }
  
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_gcm_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_GCM_256, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_GCM_256);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_GCM, 256});
  }
  
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_ctr_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_128, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_CTR_128);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 128});
  }
  
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_ctr_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_192, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_CTR_192);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 192});
  }
  
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_ctr_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CTR_256, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_CTR_256);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_CTR, 256});
  }
  
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cfb_128, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_128, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_CFB_128);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 128});
  }
  
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cfb_192, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_192, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_CFB_192);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 192});
  }
  
-RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cfb_256, SyncEnv, AsyncEnv)
+RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_AES_CFB_256, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testEncryptDecryptBigData(AES_CFB_256);
+    testEncryptDecryptBigData({CKMC_ALGO_AES_CFB, 256});
  }
  
  /////////////////////////////////////////
@@ -1330,183 +1266,179 @@ RUNNER_TEST_MULTIPLE(TED_0400_encrypt_decrypt_big_data_aes_cfb_256, SyncEnv, Asy
  
  RUNNER_TEST_MULTIPLE(TED_1005_no_iv_enc, SyncEnv, AsyncEnv)
  {
-    testNoIvEnc(AES_CTR_128);
-    testNoIvEnc(AES_CTR_192);
-    testNoIvEnc(AES_CTR_256);
-    testNoIvEnc(AES_CBC_128);
-    testNoIvEnc(AES_CBC_192);
-    testNoIvEnc(AES_CBC_256);
-    testNoIvEnc(AES_CFB_128);
-    testNoIvEnc(AES_CFB_192);
-    testNoIvEnc(AES_CFB_256);
-    testNoIvEnc(AES_GCM_128);
-    testNoIvEnc(AES_GCM_192);
-    testNoIvEnc(AES_GCM_256);
+    testNoIvEnc({CKMC_ALGO_AES_CTR, 128});
+    testNoIvEnc({CKMC_ALGO_AES_CTR, 192});
+    testNoIvEnc({CKMC_ALGO_AES_CTR, 256});
+    testNoIvEnc({CKMC_ALGO_AES_CBC, 128});
+    testNoIvEnc({CKMC_ALGO_AES_CBC, 192});
+    testNoIvEnc({CKMC_ALGO_AES_CBC, 256});
+    testNoIvEnc({CKMC_ALGO_AES_CFB, 128});
+    testNoIvEnc({CKMC_ALGO_AES_CFB, 192});
+    testNoIvEnc({CKMC_ALGO_AES_CFB, 256});
+    testNoIvEnc({CKMC_ALGO_AES_GCM, 128});
+    testNoIvEnc({CKMC_ALGO_AES_GCM, 192});
+    testNoIvEnc({CKMC_ALGO_AES_GCM, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1010_invalid_iv_enc, SyncEnv, AsyncEnv)
  {
-    testInvalidIvEnc(AES_CTR_128);
-    testInvalidIvEnc(AES_CTR_192);
-    testInvalidIvEnc(AES_CTR_256);
-    testInvalidIvEnc(AES_CBC_128);
-    testInvalidIvEnc(AES_CBC_192);
-    testInvalidIvEnc(AES_CBC_256);
-    testInvalidIvEnc(AES_CFB_128);
-    testInvalidIvEnc(AES_CFB_192);
-    testInvalidIvEnc(AES_CFB_256);
+    testInvalidIvEnc({CKMC_ALGO_AES_CTR, 128});
+    testInvalidIvEnc({CKMC_ALGO_AES_CTR, 192});
+    testInvalidIvEnc({CKMC_ALGO_AES_CTR, 256});
+    testInvalidIvEnc({CKMC_ALGO_AES_CBC, 128});
+    testInvalidIvEnc({CKMC_ALGO_AES_CBC, 192});
+    testInvalidIvEnc({CKMC_ALGO_AES_CBC, 256});
+    testInvalidIvEnc({CKMC_ALGO_AES_CFB, 128});
+    testInvalidIvEnc({CKMC_ALGO_AES_CFB, 192});
+    testInvalidIvEnc({CKMC_ALGO_AES_CFB, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1015_no_iv_dec, SyncEnv, AsyncEnv)
  {
-    testNoIvDec(AES_CTR_128);
-    testNoIvDec(AES_CTR_192);
-    testNoIvDec(AES_CTR_256);
-    testNoIvDec(AES_CBC_128);
-    testNoIvDec(AES_CBC_192);
-    testNoIvDec(AES_CBC_256);
-    testNoIvDec(AES_CFB_128);
-    testNoIvDec(AES_CFB_192);
-    testNoIvDec(AES_CFB_256);
-    testNoIvDec(AES_GCM_128);
-    testNoIvDec(AES_GCM_192);
-    testNoIvDec(AES_GCM_256);
+    testNoIvDec({CKMC_ALGO_AES_CTR, 128});
+    testNoIvDec({CKMC_ALGO_AES_CTR, 192});
+    testNoIvDec({CKMC_ALGO_AES_CTR, 256});
+    testNoIvDec({CKMC_ALGO_AES_CBC, 128});
+    testNoIvDec({CKMC_ALGO_AES_CBC, 192});
+    testNoIvDec({CKMC_ALGO_AES_CBC, 256});
+    testNoIvDec({CKMC_ALGO_AES_CFB, 128});
+    testNoIvDec({CKMC_ALGO_AES_CFB, 192});
+    testNoIvDec({CKMC_ALGO_AES_CFB, 256});
+    testNoIvDec({CKMC_ALGO_AES_GCM, 128});
+    testNoIvDec({CKMC_ALGO_AES_GCM, 192});
+    testNoIvDec({CKMC_ALGO_AES_GCM, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1020_invalid_iv_dec, SyncEnv, AsyncEnv)
  {
-    testInvalidIvDec(AES_CTR_128);
-    testInvalidIvDec(AES_CTR_192);
-    testInvalidIvDec(AES_CTR_256);
-    testInvalidIvDec(AES_CBC_128);
-    testInvalidIvDec(AES_CBC_192);
-    testInvalidIvDec(AES_CBC_256);
-    testInvalidIvDec(AES_CFB_128);
-    testInvalidIvDec(AES_CFB_192);
-    testInvalidIvDec(AES_CFB_256);
+    testInvalidIvDec({CKMC_ALGO_AES_CTR, 128});
+    testInvalidIvDec({CKMC_ALGO_AES_CTR, 192});
+    testInvalidIvDec({CKMC_ALGO_AES_CTR, 256});
+    testInvalidIvDec({CKMC_ALGO_AES_CBC, 128});
+    testInvalidIvDec({CKMC_ALGO_AES_CBC, 192});
+    testInvalidIvDec({CKMC_ALGO_AES_CBC, 256});
+    testInvalidIvDec({CKMC_ALGO_AES_CFB, 128});
+    testInvalidIvDec({CKMC_ALGO_AES_CFB, 192});
+    testInvalidIvDec({CKMC_ALGO_AES_CFB, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1050_data_integrity, SyncEnv, AsyncEnv)
  {
-    testIntegrity(AES_CTR_128);
-    testIntegrity(AES_CTR_192);
-    testIntegrity(AES_CTR_256);
-    testIntegrity(AES_CBC_128);
-    testIntegrity(AES_CBC_192);
-    testIntegrity(AES_CBC_256);
-    testIntegrity(AES_CFB_128);
-    testIntegrity(AES_CFB_192);
-    testIntegrity(AES_CFB_256);
+    testIntegrity({CKMC_ALGO_AES_CTR, 128});
+    testIntegrity({CKMC_ALGO_AES_CTR, 192});
+    testIntegrity({CKMC_ALGO_AES_CTR, 256});
+    testIntegrity({CKMC_ALGO_AES_CBC, 128});
+    testIntegrity({CKMC_ALGO_AES_CBC, 192});
+    testIntegrity({CKMC_ALGO_AES_CBC, 256});
+    testIntegrity({CKMC_ALGO_AES_CFB, 128});
+    testIntegrity({CKMC_ALGO_AES_CFB, 192});
+    testIntegrity({CKMC_ALGO_AES_CFB, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1100_ctr_encryption_invalid_length, SyncEnv, AsyncEnv)
  {
-    testCtrEncryptionInvalidLength(AES_CTR_128);
-    testCtrEncryptionInvalidLength(AES_CTR_192);
-    testCtrEncryptionInvalidLength(AES_CTR_256);
+    testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
+    testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
+    testCtrEncryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1105_ctr_encryption_valid_length, SyncEnv, AsyncEnv)
  {
      RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
-    testCtrEncryptionValidLength(AES_CTR_128);
-    testCtrEncryptionValidLength(AES_CTR_192);
-    testCtrEncryptionValidLength(AES_CTR_256);
+    testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 128});
+    testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 192});
+    testCtrEncryptionValidLength({CKMC_ALGO_AES_CTR, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1110_ctr_decryption_invalid_length, SyncEnv, AsyncEnv)
  {
-    testCtrDecryptionInvalidLength(AES_CTR_128);
-    testCtrDecryptionInvalidLength(AES_CTR_192);
-    testCtrDecryptionInvalidLength(AES_CTR_256);
+    testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 128});
+    testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 192});
+    testCtrDecryptionInvalidLength({CKMC_ALGO_AES_CTR, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1115_ctr_decryption_valid_length, SyncEnv, AsyncEnv)
  {
      RUNNER_IGNORED_MSG("Openssl supports only 128-bit AES CTR length");
-    testCtrDecryptionValidLength(AES_CTR_128);
-    testCtrDecryptionValidLength(AES_CTR_192);
-    testCtrDecryptionValidLength(AES_CTR_256);
+    testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 128});
+    testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 192});
+    testCtrDecryptionValidLength({CKMC_ALGO_AES_CTR, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1200_gcm_encryption_tag_len, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testGcmEncryptionTagLen(AES_GCM_128);
-    testGcmEncryptionTagLen(AES_GCM_192);
-    testGcmEncryptionTagLen(AES_GCM_256);
+    testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 128});
+    testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 192});
+    testGcmEncryptionTagLen({CKMC_ALGO_AES_GCM, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1210_gcm_decryption_tag_len, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testGcmDecryptionTagLen(AES_GCM_128);
-    testGcmDecryptionTagLen(AES_GCM_192);
-    testGcmDecryptionTagLen(AES_GCM_256);
+    testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 128});
+    testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 192});
+    testGcmDecryptionTagLen({CKMC_ALGO_AES_GCM, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1230_gcm_wrong_tag, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    testGcmWrongTag(AES_GCM_128);
-    testGcmWrongTag(AES_GCM_192);
-    testGcmWrongTag(AES_GCM_256);
+    testGcmWrongTag({CKMC_ALGO_AES_GCM, 128});
+    testGcmWrongTag({CKMC_ALGO_AES_GCM, 192});
+    testGcmWrongTag({CKMC_ALGO_AES_GCM, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1240_gcm_different_iv_sizes, SyncEnv, AsyncEnv)
  {
-    testGcmDifferentIvSizes(AES_GCM_128);
-    testGcmDifferentIvSizes(AES_GCM_192);
-    testGcmDifferentIvSizes(AES_GCM_256);
+    testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 128});
+    testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 192});
+    testGcmDifferentIvSizes({CKMC_ALGO_AES_GCM, 256});
  }
  
  RUNNER_TEST_MULTIPLE(TED_1250_gcm_aad, SyncEnv, AsyncEnv)
  {
-    testBackend b(PolicyBackend::FORCE_SOFTWARE);
-    encryptionWithCustomData(AES_GCM_128, CKMC_PARAM_ED_AAD);
-    encryptionWithCustomData(AES_GCM_192, CKMC_PARAM_ED_AAD);
-    encryptionWithCustomData(AES_GCM_256, CKMC_PARAM_ED_AAD);
+    encryptionWithCustomData({CKMC_ALGO_AES_GCM, 128}, CKMC_PARAM_ED_AAD);
+    encryptionWithCustomData({CKMC_ALGO_AES_GCM, 192}, CKMC_PARAM_ED_AAD);
+    encryptionWithCustomData({CKMC_ALGO_AES_GCM, 256}, CKMC_PARAM_ED_AAD);
  }
  
  RUNNER_TEST_MULTIPLE(TED_1300_rsa_label, SyncEnv, AsyncEnv)
  {
      RUNNER_IGNORED_MSG("RSA-OAEP labels are not supported in openssl");
-    encryptionWithCustomData(RSA_OAEP_1024, CKMC_PARAM_ED_LABEL);
-    encryptionWithCustomData(RSA_OAEP_2048, CKMC_PARAM_ED_LABEL);
-    encryptionWithCustomData(RSA_OAEP_4096, CKMC_PARAM_ED_LABEL);
+    encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 1024}, CKMC_PARAM_ED_LABEL);
+    encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 2048}, CKMC_PARAM_ED_LABEL);
+    encryptionWithCustomData({CKMC_ALGO_RSA_OAEP, 4096}, CKMC_PARAM_ED_LABEL);
  }
  
  RUNNER_TEST_MULTIPLE(TED_1330_rsa_longest_data, SyncEnv, AsyncEnv)
  {
-    testRsaLongestData(RSA_OAEP_1024, 86);
-    testRsaLongestData(RSA_OAEP_2048, 214);
-    testRsaLongestData(RSA_OAEP_4096, 470);
+    testRsaLongestData({CKMC_ALGO_RSA_OAEP, 1024}, 86);
+    testRsaLongestData({CKMC_ALGO_RSA_OAEP, 2048}, 214);
+    testRsaLongestData({CKMC_ALGO_RSA_OAEP, 4096}, 470);
  }
  
  RUNNER_TEST_MULTIPLE(TED_1350_rsa_data_too_long, SyncEnv, AsyncEnv)
  {
-    testRsaDataTooLong(RSA_OAEP_1024, 87);
-    testRsaDataTooLong(RSA_OAEP_2048, 215);
-    testRsaDataTooLong(RSA_OAEP_4096, 471);
+    testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 1024}, 87);
+    testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 2048}, 215);
+    testRsaDataTooLong({CKMC_ALGO_RSA_OAEP, 4096}, 471);
  }
  
  /////////////////////////////////////////
  // Asynchronous only tests
  /////////////////////////////////////////
-RUNNER_TEST(TED_2000_enc_no_observer_async, EncEnv)
+RUNNER_TEST(TED_2000_enc_no_observer_async, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
+    testAllAlgorithms([](const Algo& algo){
          // prepare buffers
          RawBuffer plain = createRandomBuffer(BUF_LEN);
  
          // keys
-        KeyAliasPair aliases = algo->keyGen(nullptr);
+        KeyAliasPair aliases = getKey(algo, PRIMARY);
  
          // params
          ckmc_param_list_h handle = NULL;
-        assert_positive(ckmc_generate_new_params, algo->m_type, &handle);
+        assert_positive(ckmc_generate_new_params, algo.type, &handle);
          ParamListPtr params = ParamListPtr(handle, ckmc_param_list_free);
-        setParam(params, CKMC_PARAM_ED_IV, createRandomBufferCAPI(DEFAULT_IV_LEN));
+        setParam(params, CKMC_PARAM_ED_IV, DEFAULT_IV);
  
          // encrypt
          test_no_observer(&ManagerAsync::encrypt,
@@ -1519,12 +1451,9 @@ RUNNER_TEST(TED_2000_enc_no_observer_async, EncEnv)
  
  RUNNER_TEST(TED_2010_dec_no_observer_async, AsyncEnv)
  {
-    testAllAlgorithms([](const AlgoBasePtr& algo){
-        // prepare buffers
-        RawBufferPtr plain = create_raw_buffer(createRandomBufferCAPI(BUF_LEN));
-
+    testAllAlgorithms([](const Algo& algo){
          // encrypt
-        auto ret = encrypt(algo, plain);
+        auto ret = encrypt(algo, PLAIN_DATA);
          RawBuffer encrypted(ret.encrypted->data, ret.encrypted->data + ret.encrypted->size);
  
          // decrypt
diff --git a/src/ckm/unprivileged/main.cpp b/src/ckm/unprivileged/main.cpp

index 6c2fe63..b5e2b93 100644 (file)
--- a/src/ckm/unprivileged/main.cpp
+++ b/src/ckm/unprivileged/main.cpp
@@ -1,5 +1,5 @@
  /*
- *  Copyright (c) 2016-2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved
   *
   *  Licensed under the Apache License, Version 2.0 (the "License");
   *  you may not use this file except in compliance with the License.
@@ -50,6 +50,16 @@ const int USER_TEST = 5001;
  
  const CKM::CertificateShPtrVector EMPTY_CERT_VECTOR;
  const CKM::AliasVector EMPTY_ALIAS_VECTOR;
+const std::string KEY_PEM = "-----BEGIN PUBLIC KEY-----\n"
+    "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2b1bXDa+S8/MGWnMkru4\n"
+    "T4tUddtZNi0NVjQn9RFH1NMa220GsRhRO56F77FlSVFKfSfVZKIiWg6C+DVCkcLf\n"
+    "zXJ/Z0pvwOQYBAqVMFjV6efQGN0JzJ1Unu7pPRiZl7RKGEI+cyzzrcDyrLLrQ2W7\n"
+    "0ZySkNEOv6Frx9JgC5NExuYY4lk2fQQa38JXiZkfyzif2em0px7mXbyf5LjccsKq\n"
+    "v1e+XLtMsL0ZefRcqsP++NzQAI8fKX7WBT+qK0HJDLiHrKOTWYzx6CwJ66LD/vvf\n"
+    "j55xtsKDLVDbsotvf8/m6VLMab+vqKk11TP4tq6yo0mwyTADvgl1zowQEO9I1W6o\n"
+    "zQIDAQAB\n"
+    "-----END PUBLIC KEY-----";
+
  } // namespace anonymous
  
  /*
@@ -73,7 +83,7 @@ RUNNER_TEST(T0011_Control)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->unlockUserKey(USER_APP, "simple-password")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T0012_Control)
@@ -82,10 +92,10 @@ RUNNER_TEST(T0012_Control)
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->unlockUserKey(USER_APP, "simple-password")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->lockUserKey(USER_APP)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T0013_Control)
@@ -94,7 +104,7 @@ RUNNER_TEST(T0013_Control)
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->unlockUserKey(USER_APP, "simple-password")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T0014_Control)
@@ -103,31 +113,31 @@ RUNNER_TEST(T0014_Control)
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->removeUserData(USER_APP_3)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->resetUserPassword(USER_APP_3, "simple-password")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->resetUserPassword(USER_APP_3, "something")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->unlockUserKey(USER_APP_3, "test-pass")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->lockUserKey(USER_APP_3)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_BAD_REQUEST == (temp = control->resetUserPassword(USER_APP_3, "something")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->removeUserData(USER_APP_3)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T0015_Control)
@@ -136,16 +146,16 @@ RUNNER_TEST(T0015_Control)
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->unlockUserKey(USER_APP_2, "test-pass")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->changeUserPassword(USER_APP_2, "test-pass", "new-pass")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->lockUserKey(USER_APP_2)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->removeUserData(USER_APP_2)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T0016_Control_negative_wrong_password)
@@ -154,19 +164,19 @@ RUNNER_TEST(T0016_Control_negative_wrong_password)
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->unlockUserKey(USER_APP_2, "test-pass")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->changeUserPassword(USER_APP_2, "test-pass", "new-pass")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->lockUserKey(USER_APP_2)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_AUTHENTICATION_FAILED == (temp = control->unlockUserKey(USER_APP_2, "incorrect-password")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->removeUserData(USER_APP_2)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST_GROUP_INIT(T101_CKM_QUICK_SET_GET_TESTS);
@@ -198,10 +208,10 @@ RUNNER_TEST(T1011_key)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(alias, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getKey(alias, CKM::Password(), key2)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          key->getDER() == key2->getDER(),
          "Key value has been changed by service");
@@ -218,10 +228,10 @@ RUNNER_TEST(T1012_certificate)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveCertificate(alias, cert, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getCertificate(alias, CKM::Password(), cert2)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          cert->getDER() == cert2->getDER(),
          "Data has been modified in key manager");
@@ -251,12 +261,12 @@ RUNNER_TEST(T1014_save_with_label)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(full_address, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      // lookup by name
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getKey(alias, CKM::Password(), key_name)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          key->getDER() == key_name->getDER(),
          "Key value has been changed by service");
@@ -264,12 +274,48 @@ RUNNER_TEST(T1014_save_with_label)
      // lookup by full address
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getKey(full_address, CKM::Password(), key_full_addr)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          key->getDER() == key_full_addr->getDER(),
          "Key value has been changed by service");
  }
  
+RUNNER_TEST(T1020_save_big_data)
+{
+#ifdef TZ_BACKEND
+    const size_t BIG_SIZE = 100000;
+    CKM::PolicyBackend backend = CKM::PolicyBackend::FORCE_HARDWARE;
+#else
+    const size_t BIG_SIZE = 5000000;
+    CKM::PolicyBackend backend = CKM::PolicyBackend::FORCE_SOFTWARE;
+#endif
+
+    int temp;
+    std::vector<char> big_data(BIG_SIZE);
+    std::ifstream is("/dev/urandom", std::ifstream::binary);
+    if(is)
+        is.read(big_data.data(), BIG_SIZE);
+
+    RUNNER_ASSERT_MSG(is,
+            "Only " << is.gcount() << "/" << BIG_SIZE << " bytes read from /dev/urandom");
+
+    CKM::RawBuffer buffer(big_data.begin(), big_data.end());
+    CKM::Policy policy(CKM::Password(), true, backend);
+    CKM::RawBuffer returned;
+
+    auto manager = CKM::Manager::create();
+
+    RUNNER_ASSERT_MSG(
+        CKM_API_SUCCESS == (temp = manager->saveData("big_data", buffer, policy)),
+        "Error=" << CKM::APICodeToString(temp));
+
+    RUNNER_ASSERT_MSG(
+        CKM_API_SUCCESS == (temp = manager->getData("big_data", CKM::Password(), returned)),
+        "Error=" << CKM::APICodeToString(temp));
+
+    RUNNER_ASSERT_MSG(buffer == returned, "Returned data doesn't match the original");
+}
+
  RUNNER_TEST(T1015_deinit)
  {
      remove_user_data(USER_APP);
@@ -283,7 +329,7 @@ RUNNER_TEST(T1020_init)
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->unlockUserKey(USER_APP, "user-pass")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1021_save_keys_get_alias)
@@ -308,16 +354,16 @@ RUNNER_TEST(T1021_save_keys_get_alias)
      size_t current_aliases_num = count_aliases(ALIAS_KEY);
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey("rootkey1", key, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey("rootkey2", key, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey("rootkey3", key, CKM::Policy(CKM::Password(), false))),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getKeyAliasVector(labelAliasVector)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          labelAliasVector.size() == (current_aliases_num+3),
          "Wrong size of list: " << labelAliasVector.size() << " Expected: " << (current_aliases_num+3));
@@ -345,16 +391,16 @@ RUNNER_TEST(T1022_app_user_save_keys_get_alias)
      size_t current_aliases_num = count_aliases(ALIAS_KEY);
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey("appkey1", key, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey("appkey2", key, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey("appkey3", key, CKM::Policy(CKM::Password(), false))),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getKeyAliasVector(labelAliasVector)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          labelAliasVector.size() == (current_aliases_num+3),
          "Wrong size of list: " << labelAliasVector.size() << " Expected: " << (current_aliases_num+3));
@@ -382,13 +428,125 @@ RUNNER_TEST(T1023_app_user_save_keys_exportable_flag)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey("appkey4", key, notExportable)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_NOT_EXPORTABLE == (temp = manager->getKey("appkey4", CKM::Password(), key)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (temp = manager->saveData("data3", buffer, notExportable)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
+}
+
+RUNNER_TEST(T1024_app_user_save_keys_get_alias_pwd)
+{
+    remove_user_data(USER_APP);
+
+    int exitCode;
+    const int aliasNameCount = 10;
+    auto manager = CKM::Manager::create();
+
+    CKM::AliasPwdVector expected;
+    CKM::RawBuffer buffer(KEY_PEM.begin(), KEY_PEM.end());
+    auto key = CKM::Key::create(buffer, CKM::Password());
+    std::string currentAlias;
+
+    size_t beforeSaveAliasCount = count_aliases(ALIAS_KEY);
+    // make aliases with & without: password protection, exportable flag
+    for (int it = 0; it < aliasNameCount; ++it)
+    {
+        CKM::Policy policy = generate_ckm_policy(it);
+        currentAlias = "T1024_appkey" + std::to_string(it);
+        expected.push_back(std::make_pair(currentAlias, !policy.password.empty()));
+        RUNNER_ASSERT_MSG(
+            CKM_API_SUCCESS == (exitCode = manager->saveKey(currentAlias, key, policy)),
+            "Error=" << CKM::APICodeToString(exitCode));
+    }
+
+    CKM::AliasPwdVector actual;
+
+    RUNNER_ASSERT_MSG(
+        CKM_API_SUCCESS == (exitCode = manager->getKeyAliasPwdVector(actual)),
+        "Error=" << CKM::APICodeToString(exitCode));
+    RUNNER_ASSERT_MSG(
+        actual.size() == (beforeSaveAliasCount + aliasNameCount),
+        "Wrong aliases count: " << actual.size() << " Expected: "
+        << (beforeSaveAliasCount + aliasNameCount));
+    check_alias_info_list_helper(expected, actual, "/User ");
+
+    remove_user_data(USER_APP);
+}
+
+RUNNER_TEST(T1025_app_user_save_certificates_get_alias_pwd)
+{
+    remove_user_data(USER_APP);
+
+    int exitCode;
+    const int aliasNameCount = 10;
+    auto manager = CKM::Manager::create();
+
+    CKM::AliasPwdVector expected;
+    auto cert = TestData::getTestCertificate(TestData::THIRD_PARTY_LEAF);
+    std::string currentAlias;
+
+    size_t beforeSaveAliasCount = count_aliases(ALIAS_CERT);
+    for (int it = 0; it < aliasNameCount; ++it)
+    {
+        CKM::Policy policy = generate_ckm_policy(it);
+        currentAlias = "T1025_appcert" + std::to_string(it);
+        expected.push_back(std::make_pair(currentAlias, !policy.password.empty()));
+        RUNNER_ASSERT_MSG(
+                CKM_API_SUCCESS == (exitCode = manager->saveCertificate(currentAlias, cert, policy)),
+                    "Error=" << CKM::APICodeToString(exitCode));
+    }
+
+    CKM::AliasPwdVector actual;
+    RUNNER_ASSERT_MSG(
+        CKM_API_SUCCESS == (exitCode = manager->getCertificateAliasPwdVector(actual)),
+        "Error=" << CKM::APICodeToString(exitCode));
+    RUNNER_ASSERT_MSG(
+        actual.size() == (beforeSaveAliasCount + aliasNameCount),
+        "Wrong aliases count: " << actual.size() << " Expected: "
+        << (beforeSaveAliasCount + aliasNameCount));
+    check_alias_info_list_helper(expected, actual, "/User ");
+
+    remove_user_data(USER_APP);
+}
+
+RUNNER_TEST(T1026_app_user_save_data_get_alias_pwd)
+{
+    remove_user_data(USER_APP);
+
+    int exitCode;
+    const int aliasNameCount = 10;
+    auto manager = CKM::Manager::create();
+
+    CKM::AliasPwdVector expected;
+    std::string binData = "My bin data";
+    CKM::RawBuffer buffer(binData.begin(), binData.end());
+    std::string currentAlias;
+
+    size_t beforeSaveAliasCount = count_aliases(ALIAS_DATA);
+    for (int it = 0; it < aliasNameCount; ++it)
+    {
+        CKM::Policy policy = generate_ckm_policy(it);
+        currentAlias = "T1026_appdata" + std::to_string(it);
+        expected.push_back(std::make_pair(currentAlias, !policy.password.empty()));
+        RUNNER_ASSERT_MSG(
+            CKM_API_SUCCESS == (exitCode = manager->saveData(currentAlias, buffer, policy)),
+                "Error=" << CKM::APICodeToString(exitCode));
+    }
+
+    CKM::AliasPwdVector actual;
+    RUNNER_ASSERT_MSG(
+        CKM_API_SUCCESS == (exitCode = manager->getDataAliasPwdVector(actual)),
+        "Error=" << CKM::APICodeToString(exitCode));
+    RUNNER_ASSERT_MSG(
+        actual.size() == (beforeSaveAliasCount + aliasNameCount),
+        "Wrong aliases count: " << actual.size() << " Expected: "
+        << (beforeSaveAliasCount + aliasNameCount));
+    check_alias_info_list_helper(expected, actual, "/User ");
+
+    remove_user_data(USER_APP);
  }
  
  RUNNER_TEST(T1029_deinit)
@@ -418,16 +576,16 @@ RUNNER_TEST(T1032_app_user_save_bin_data)
      size_t current_aliases_num = count_aliases(ALIAS_DATA);
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveData("appdata1", buffer, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveData("appdata2", buffer, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveData("appdata3", buffer, CKM::Policy(CKM::Password(), true))),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getDataAliasVector(labelAliasVector)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          labelAliasVector.size() == (current_aliases_num+3),
          "Wrong size of list: " << labelAliasVector.size() << " Expected: " << (current_aliases_num+3));
@@ -449,16 +607,16 @@ RUNNER_TEST(T1034_app_remove_bin_data)
      std::string invalid_address = aliasWithLabel("i-do-not-exist", "appdata1");
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_UNKNOWN == (temp = manager->removeAlias(invalid_address.c_str())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->removeAlias("appdata1")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->removeAlias("appdata3")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getDataAliasVector(labelAliasVector)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          labelAliasVector.size() == (current_aliases_num-2),
          "Wrong size of list: " << labelAliasVector.size() << " Expected: " << (current_aliases_num-2));
@@ -466,13 +624,13 @@ RUNNER_TEST(T1034_app_remove_bin_data)
      CKM::RawBuffer buffer;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getData("appdata2", CKM::Password(), buffer)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          buffer == buffer2,
          "Data corrupted");
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_UNKNOWN == (temp = manager->getData("appdata3", CKM::Password(), buffer)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1035_getData_wrong_password)
@@ -488,19 +646,19 @@ RUNNER_TEST(T1035_getData_wrong_password)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveData("data4", buffer1, CKM::Policy("CorrectPassword"))),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      CKM::RawBuffer buffer;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getData("data4", CKM::Password("CorrectPassword"), buffer)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          buffer == buffer1,
          "Data corrupted");
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_AUTHENTICATION_FAILED == (temp = manager->getData("data4", CKM::Password("WrongPassword"), buffer)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1036_deinit)
@@ -517,7 +675,7 @@ RUNNER_TEST(T1040_init)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->unlockUserKey(USER_APP, "user-pass")),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1041_create_RSA_key)
@@ -529,10 +687,10 @@ RUNNER_TEST(T1041_create_RSA_key)
      size_t current_aliases_num = count_aliases(ALIAS_KEY);
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createKeyPairRSA(2048, CKM::Alias("PRV_KEY1_RSA"), CKM::Alias("PUB_KEY1_RSA"), CKM::Policy(), CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getKeyAliasVector(av)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          (current_aliases_num+2) == static_cast<size_t>(temp = av.size()),
          "Vector size: " << temp << ". Expected: " << (current_aliases_num+2));
@@ -546,10 +704,10 @@ RUNNER_TEST(T1042_create_RSA_key_foreign_label)
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = manager->createKeyPairRSA(2048, CKM::Alias("iamsomebodyelse PRV_KEY2_RSA"), CKM::Alias("PUB_KEY2_RSA"), CKM::Policy(), CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = manager->createKeyPairRSA(2048, CKM::Alias("PRV_KEY2_RSA"), CKM::Alias("iamsomebodyelse PUB_KEY2_RSA"), CKM::Policy(), CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1043_create_DSA_key)
@@ -561,10 +719,10 @@ RUNNER_TEST(T1043_create_DSA_key)
      size_t current_aliases_num = count_aliases(ALIAS_KEY);
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createKeyPairDSA(1024, CKM::Alias("PRV_KEY1_DSA"), CKM::Alias("PUB_KEY1_DSA"), CKM::Policy(), CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getKeyAliasVector(av)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          (current_aliases_num+2) == static_cast<size_t>(temp = av.size()),
          "Vector size: " << temp << ". Expected: " << (current_aliases_num+2));
@@ -579,10 +737,10 @@ RUNNER_TEST(T1044_create_AES_key)
      int current_aliases_num = count_aliases(ALIAS_KEY);
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createKeyAES(128, CKM::Alias("KEY1_AES"), CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getKeyAliasVector(av)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          (current_aliases_num+1) == (temp = av.size()),
          "Vector size: " << temp << ". Expected: " << (current_aliases_num+1));
@@ -611,10 +769,10 @@ RUNNER_TEST(T1111_CreateKeyPairRSA)
      CKM::Policy p2;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createKeyPairRSA(1024, a1, a2, p1, p2)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_EXISTS == (temp = manager->createKeyPairRSA(1024, a1, a2, p1, p2)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1112_CreateKeyPairDSA)
@@ -627,10 +785,10 @@ RUNNER_TEST(T1112_CreateKeyPairDSA)
      CKM::Policy p2;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createKeyPairDSA(1024, a1, a2, p1, p2)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_EXISTS == (temp = manager->createKeyPairDSA(1024, a1, a2, p1, p2)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1113_CreateKeyPairECDSA)
@@ -643,7 +801,7 @@ RUNNER_TEST(T1113_CreateKeyPairECDSA)
      CKM::Policy p2;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createKeyPairECDSA(CKM::ElipticCurve::prime192v1, a1, a2, p1, p2)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1114_deinit)
@@ -681,10 +839,10 @@ RUNNER_TEST(T12101_key_exist)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (ret = manager->saveKey(alias, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(ret));
+        "Error=" << CKM::APICodeToString(ret));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_EXISTS == (ret = manager->saveKey(alias, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(ret));
+        "Error=" << CKM::APICodeToString(ret));
  }
  
  /*
@@ -714,7 +872,7 @@ RUNNER_TEST(T12102_saveKey_empty_alias)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (ret = manager->saveKey(alias, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(ret));
+        "Error=" << CKM::APICodeToString(ret));
  }
  
  RUNNER_TEST(T12103_saveKey_foreign_label)
@@ -739,7 +897,7 @@ RUNNER_TEST(T12103_saveKey_foreign_label)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (ret = manager->saveKey(alias, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(ret));
+        "Error=" << CKM::APICodeToString(ret));
  }
  
  RUNNER_TEST(T12104_saveKey_empty_key)
@@ -753,7 +911,7 @@ RUNNER_TEST(T12104_saveKey_empty_key)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (ret = manager->saveKey(alias, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(ret));
+        "Error=" << CKM::APICodeToString(ret));
  }
  
  RUNNER_TEST(T12105_saveCertificate_empty_alias)
@@ -767,7 +925,7 @@ RUNNER_TEST(T12105_saveCertificate_empty_alias)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (temp = manager->saveCertificate(alias, cert, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T12106_saveCertificate_foreign_label)
@@ -781,7 +939,7 @@ RUNNER_TEST(T12106_saveCertificate_foreign_label)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = manager->saveCertificate(alias, cert, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T12107_saveCertificate_empty_cert)
@@ -795,7 +953,7 @@ RUNNER_TEST(T12107_saveCertificate_empty_cert)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (temp = manager->saveCertificate(alias, cert, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T12108_saveData_empty_alias)
@@ -810,7 +968,7 @@ RUNNER_TEST(T12108_saveData_empty_alias)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (temp = manager->saveData(alias, buffer, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T12109_saveData_foreign_label)
@@ -825,7 +983,7 @@ RUNNER_TEST(T12109_saveData_foreign_label)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_ACCESS_DENIED == (temp = manager->saveData(alias, buffer, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T12110_saveData_empty_data)
@@ -839,7 +997,7 @@ RUNNER_TEST(T12110_saveData_empty_data)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (temp = manager->saveData(alias, buffer, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  /*
@@ -857,7 +1015,7 @@ RUNNER_TEST(T12111_getKey_alias_not_exist)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_UNKNOWN == (temp = manager->getKey(alias, "", key)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T12112_getCertificate_alias_not_exist)
@@ -871,7 +1029,7 @@ RUNNER_TEST(T12112_getCertificate_alias_not_exist)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_UNKNOWN == (temp = manager->getCertificate(alias, CKM::Password(), certificate)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T12113_getData_alias_not_exist)
@@ -884,7 +1042,7 @@ RUNNER_TEST(T12113_getData_alias_not_exist)
      CKM::Alias alias("some alias");
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_UNKNOWN == (temp = manager->getData(alias, "", buffer)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  /*
@@ -916,7 +1074,7 @@ RUNNER_TEST(T12114_RSA_key_damaged)
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (ret = manager->saveKey(alias, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(ret));
+        "Error=" << CKM::APICodeToString(ret));
  }
  
  RUNNER_TEST(T12115_RSA_key_too_short)
@@ -942,7 +1100,7 @@ RUNNER_TEST(T12115_RSA_key_too_short)
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (ret = manager->saveKey(alias, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(ret));
+        "Error=" << CKM::APICodeToString(ret));
  }
  
  RUNNER_TEST(T12116_DSA_key_too_short)
@@ -971,7 +1129,7 @@ RUNNER_TEST(T12116_DSA_key_too_short)
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (ret = manager->saveKey(alias, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(ret));
+        "Error=" << CKM::APICodeToString(ret));
  }
  
  RUNNER_TEST(T12117_AES_key_too_short)
@@ -987,7 +1145,7 @@ RUNNER_TEST(T12117_AES_key_too_short)
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (ret = manager->saveKey(alias, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(ret));
+        "Error=" << CKM::APICodeToString(ret));
  }
  
  /*
@@ -1035,7 +1193,7 @@ RUNNER_TEST(T12118_RSA_key_damaged_serviceTest)
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (ret = manager->saveKey(alias, key, CKM::Policy())),
-        "Error=" << CKMErrorToString(ret));
+        "Error=" << CKM::APICodeToString(ret));
  }
  
  RUNNER_TEST(T12119_saveCertificate_damaged_serviceTest)
@@ -1078,7 +1236,7 @@ RUNNER_TEST(T12119_saveCertificate_damaged_serviceTest)
      auto manager = CKM::Manager::create();
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_INPUT_PARAM == (temp = manager->saveCertificate(alias, cert, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T12120_deinit)
@@ -1145,7 +1303,6 @@ RUNNER_TEST(T13129_get_chain)
      auto manager = CKM::Manager::create();
  
      RUNNER_ASSERT_MSG(NULL != cert.get(), "Certificate should not be empty");
-    RUNNER_ASSERT_MSG(false != cert1.get(), "Certificate should not be empty");
  
      tmp = manager->getCertificateChain(cert,
                                         EMPTY_CERT_VECTOR,
@@ -1153,14 +1310,14 @@ RUNNER_TEST(T13129_get_chain)
                                         true,
                                         certChain);
      RUNNER_ASSERT_MSG(CKM_API_ERROR_VERIFICATION_FAILED == tmp,
-                         "Error=" << CKMErrorToString(tmp));
+                         "Error=" << CKM::APICodeToString(tmp));
  
      RUNNER_ASSERT_MSG(
          0 == certChain.size(),
          "Wrong size of certificate chain.");
  
      tmp = manager->getCertificateChain(cert, certVector, EMPTY_CERT_VECTOR, true, certChain);
-    RUNNER_ASSERT_MSG(CKM_API_SUCCESS == tmp, "Error=" << CKMErrorToString(tmp));
+    RUNNER_ASSERT_MSG(CKM_API_SUCCESS == tmp, "Error=" << CKM::APICodeToString(tmp));
  
      RUNNER_ASSERT_MSG(
          3 == certChain.size(),
@@ -1184,7 +1341,7 @@ RUNNER_TEST(T1313_get_chain_with_alias)
  
      tmp = manager->getCertificateChain(cert, aliasVector, EMPTY_ALIAS_VECTOR, true, certChain);
      RUNNER_ASSERT_MSG(CKM_API_ERROR_VERIFICATION_FAILED == tmp,
-                         "Error=" << CKMErrorToString(tmp));
+                         "Error=" << CKM::APICodeToString(tmp));
  
      RUNNER_ASSERT_MSG(
          0 == certChain.size(),
@@ -1192,12 +1349,12 @@ RUNNER_TEST(T1313_get_chain_with_alias)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = manager->saveCertificate(alias, cert1, CKM::Policy())),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  
      aliasVector.push_back(alias);
  
      tmp = manager->getCertificateChain(cert, aliasVector, EMPTY_ALIAS_VECTOR, true, certChain);
-    RUNNER_ASSERT_MSG(CKM_API_SUCCESS == tmp, "Error=" << CKMErrorToString(tmp));
+    RUNNER_ASSERT_MSG(CKM_API_SUCCESS == tmp, "Error=" << CKM::APICodeToString(tmp));
  
      RUNNER_ASSERT_MSG(
          3 == certChain.size(),
@@ -1219,14 +1376,14 @@ RUNNER_TEST(T13141_ocsp_check_valid_chain)
  
      tmp = manager->getCertificateChain(cert, EMPTY_CERT_VECTOR, EMPTY_CERT_VECTOR, true, certChain);
      RUNNER_ASSERT_MSG(CKM_API_ERROR_VERIFICATION_FAILED == tmp,
-                         "Error=" << CKMErrorToString(tmp));
+                         "Error=" << CKM::APICodeToString(tmp));
  
      RUNNER_ASSERT_MSG(
          0 == certChain.size(),
          "Wrong size of certificate chain.");
  
      tmp = manager->getCertificateChain(cert, certVector, EMPTY_CERT_VECTOR, true, certChain);
-    RUNNER_ASSERT_MSG(CKM_API_SUCCESS == tmp, "Error=" << CKMErrorToString(tmp));
+    RUNNER_ASSERT_MSG(CKM_API_SUCCESS == tmp, "Error=" << CKM::APICodeToString(tmp));
  
      RUNNER_ASSERT_MSG(
          3 == certChain.size(),
@@ -1235,7 +1392,7 @@ RUNNER_TEST(T13141_ocsp_check_valid_chain)
      int status;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = manager->ocspCheck(certChain, status)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  
      RUNNER_ASSERT_MSG(CKM_API_OCSP_STATUS_GOOD == status, "Verfication failed");
  }
@@ -1301,7 +1458,7 @@ RUNNER_TEST(T13145_ocsp_check_no_ocsp)
      int status;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = manager->ocspCheck(certVector, status)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  
      RUNNER_ASSERT_MSG(CKM_API_OCSP_STATUS_UNSUPPORTED == status, "Verfication failed");
  }
@@ -1383,10 +1540,10 @@ RUNNER_TEST(T1412_RSA_key_create_verify)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasPub, keyPub, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasPrv, keyPrv, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createSignature(
@@ -1396,7 +1553,7 @@ RUNNER_TEST(T1412_RSA_key_create_verify)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->verifySignature(
@@ -1406,7 +1563,7 @@ RUNNER_TEST(T1412_RSA_key_create_verify)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1413_DSA_key_create_verify)
@@ -1458,10 +1615,10 @@ RUNNER_TEST(T1413_DSA_key_create_verify)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasPub, keyPub, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasPrv, keyPrv, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createSignature(
@@ -1471,7 +1628,7 @@ RUNNER_TEST(T1413_DSA_key_create_verify)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->verifySignature(
@@ -1481,7 +1638,7 @@ RUNNER_TEST(T1413_DSA_key_create_verify)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  
@@ -1519,10 +1676,10 @@ RUNNER_TEST(T1414_ECDSA_key_create_verify)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasPub, keyPub, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasPrv, keyPrv, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createSignature(
@@ -1532,7 +1689,7 @@ RUNNER_TEST(T1414_ECDSA_key_create_verify)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->verifySignature(
@@ -1542,7 +1699,7 @@ RUNNER_TEST(T1414_ECDSA_key_create_verify)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(signature.size() > 6, "Signature is too small");
  
@@ -1556,7 +1713,7 @@ RUNNER_TEST(T1414_ECDSA_key_create_verify)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1415_RSA_key_create_verify_negative)
@@ -1580,7 +1737,7 @@ RUNNER_TEST(T1415_RSA_key_create_verify_negative)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->verifySignature(
@@ -1590,7 +1747,7 @@ RUNNER_TEST(T1415_RSA_key_create_verify_negative)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(signature.size() > 6, "Signature is too small");
      memcpy((void*)signature.data(), "BROKEN", 6);
@@ -1603,7 +1760,7 @@ RUNNER_TEST(T1415_RSA_key_create_verify_negative)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1416_DSA_key_create_verify_negative)
@@ -1627,7 +1784,7 @@ RUNNER_TEST(T1416_DSA_key_create_verify_negative)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->verifySignature(
@@ -1637,7 +1794,7 @@ RUNNER_TEST(T1416_DSA_key_create_verify_negative)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(signature.size() > 6, "Signature is too small");
      memcpy((void*)signature.data(), "BROKEN", 6);
@@ -1650,7 +1807,7 @@ RUNNER_TEST(T1416_DSA_key_create_verify_negative)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1417_RSA_cert_create_verify_signature)
@@ -1711,10 +1868,10 @@ RUNNER_TEST(T1417_RSA_cert_create_verify_signature)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveCertificate(aliasPub, cert, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasPrv, keyPrv, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createSignature(
@@ -1724,7 +1881,7 @@ RUNNER_TEST(T1417_RSA_cert_create_verify_signature)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->verifySignature(
@@ -1734,7 +1891,7 @@ RUNNER_TEST(T1417_RSA_cert_create_verify_signature)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(signature.size() > 6, "Signature is too small");
  
@@ -1748,7 +1905,7 @@ RUNNER_TEST(T1417_RSA_cert_create_verify_signature)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1418_DSA_cert_create_verify_signature)
@@ -1808,10 +1965,10 @@ RUNNER_TEST(T1418_DSA_cert_create_verify_signature)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveCertificate(aliasPub, cert, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasPrv, keyPrv, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createSignature(
@@ -1821,7 +1978,7 @@ RUNNER_TEST(T1418_DSA_cert_create_verify_signature)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->verifySignature(
@@ -1831,7 +1988,7 @@ RUNNER_TEST(T1418_DSA_cert_create_verify_signature)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(signature.size() > 6, "Signature is too small");
  
@@ -1845,7 +2002,7 @@ RUNNER_TEST(T1418_DSA_cert_create_verify_signature)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1419_ECDSA_cert_create_verify_signature)
@@ -1899,10 +2056,10 @@ RUNNER_TEST(T1419_ECDSA_cert_create_verify_signature)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveCertificate(aliasPub, cert, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasPrv, keyPrv, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->createSignature(
@@ -1912,7 +2069,7 @@ RUNNER_TEST(T1419_ECDSA_cert_create_verify_signature)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->verifySignature(
@@ -1922,7 +2079,7 @@ RUNNER_TEST(T1419_ECDSA_cert_create_verify_signature)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(signature.size() > 6, "Signature is too small");
  
@@ -1936,7 +2093,7 @@ RUNNER_TEST(T1419_ECDSA_cert_create_verify_signature)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1420_deinit)
@@ -2009,10 +2166,10 @@ RUNNER_TEST(T14180_init)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasPub, keyPub, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasPrv, keyPrv, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      // Prepare ECDSA Key Pair
      std::string ecprv = "-----BEGIN EC PRIVATE KEY-----\n"
@@ -2039,10 +2196,10 @@ RUNNER_TEST(T14180_init)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasEcPub, ecKeyPub, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(aliasEcPrv, ecKeyPrv, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  
@@ -2067,7 +2224,7 @@ RUNNER_TEST(T14181_RSA_create_signatue_nohash)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->verifySignature(
@@ -2077,7 +2234,7 @@ RUNNER_TEST(T14181_RSA_create_signatue_nohash)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(signature.size() > 6, "Signature is too small");
      memcpy((void*)signature.data(), "BROKEN", 6);
@@ -2090,7 +2247,7 @@ RUNNER_TEST(T14181_RSA_create_signatue_nohash)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T14182_RSA_create_signatue_nohash_nopad)
@@ -2114,7 +2271,7 @@ RUNNER_TEST(T14182_RSA_create_signatue_nohash_nopad)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T14183_RSA_create_signatue_nohash_bigmsg)
@@ -2157,7 +2314,7 @@ RUNNER_TEST(T14183_RSA_create_signatue_nohash_bigmsg)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  
@@ -2168,78 +2325,22 @@ RUNNER_TEST(T14184_ECDSA_create_signatue_nohash)
  
      std::string message = "message test";
  
-    CKM::Alias aliasPub = "ecpub_nohash1";
      CKM::Alias aliasPrv = "ecprv_nohash1";
      CKM::HashAlgorithm hash = CKM::HashAlgorithm::NONE;
      CKM::RSAPaddingAlgorithm padd = CKM::RSAPaddingAlgorithm::PKCS1;
      CKM::RawBuffer signature;
  
      RUNNER_ASSERT_MSG(
-        CKM_API_SUCCESS == (temp = manager->createSignature(
-                                        aliasPrv,
-                                        CKM::Password(),
-                                        CKM::RawBuffer(message.begin(), message.end()),
-                                        hash,
-                                        padd,
-                                        signature)),
-        "Error=" << CKMErrorToString(temp));
-
-    RUNNER_ASSERT_MSG(
-        CKM_API_SUCCESS == (temp = manager->verifySignature(
-                                        aliasPub,
-                                        CKM::Password(),
-                                        CKM::RawBuffer(message.begin(), message.end()),
-                                        signature,
-                                        hash,
-                                        padd)),
-        "Error=" << CKMErrorToString(temp));
-
-    RUNNER_ASSERT_MSG(signature.size() > 6, "Signature is too small");
-
-    memcpy((void*)signature.data(), "BROKEN", 6);
-
-    RUNNER_ASSERT_MSG(
-        CKM_API_ERROR_VERIFICATION_FAILED == (temp = manager->verifySignature(
-                                        aliasPub,
-                                        CKM::Password(),
-                                        CKM::RawBuffer(message.begin(), message.end()),
-                                        signature,
-                                        hash,
-                                        padd)),
-        "Error=" << CKMErrorToString(temp));
-}
-
-RUNNER_TEST(T14185_ECDSA_create_signatue_nohash_bigmsg)
-{
-    int temp;
-    auto manager = CKM::Manager::create();
-
-    int msgSize = 1024*1024;
-    char big_msg[msgSize];
-    for(int i =0; i<msgSize-1; i++) {
-        big_msg[i] = 'a';
-    }
-    big_msg[msgSize-1]=0x00;
-    std::string message(big_msg);
-
-    CKM::Alias aliasPub = "ecpub_nohash1";
-    CKM::Alias aliasPrv = "ecprv_nohash1";
-    CKM::HashAlgorithm hash = CKM::HashAlgorithm::NONE;
-    CKM::RSAPaddingAlgorithm padd = CKM::RSAPaddingAlgorithm::NONE;
-    CKM::RawBuffer signature;
-
-    RUNNER_ASSERT_MSG(
-            CKM_API_SUCCESS == (temp = manager->createSignature(
+        CKM_API_ERROR_INPUT_PARAM == (temp = manager->createSignature(
                                          aliasPrv,
                                          CKM::Password(),
                                          CKM::RawBuffer(message.begin(), message.end()),
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
-
  RUNNER_TEST(T14189_deinit)
  {
      remove_user_data(USER_APP);
@@ -2363,11 +2464,11 @@ RUNNER_TEST(T1804_add_PKCS_collision_with_existing_alias)
      int temp;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(alias_PKCS_collision, keyPrv, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_EXISTS == (temp = manager->savePKCS12(alias_PKCS_collision, pkcs, CKM::Policy(), CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1805_add_bundle_with_chain_certificates)
@@ -2407,34 +2508,34 @@ RUNNER_TEST(T1805_add_bundle_with_chain_certificates)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = manager->savePKCS12(alias_PKCS_exportable, pkcs, exportable, exportable)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_EXISTS == (tmp = manager->savePKCS12(alias_PKCS_exportable, pkcs, exportable, exportable)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = manager->savePKCS12(alias_PKCS_not_exportable, pkcs, notExportable, notExportable)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_EXISTS == (tmp = manager->savePKCS12(alias_PKCS_not_exportable, pkcs, notExportable, notExportable)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  
      // try to lookup key
      CKM::KeyShPtr key_lookup;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = manager->getKey(alias_PKCS_exportable, CKM::Password(), key_lookup)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_NOT_EXPORTABLE == (tmp = manager->getKey(alias_PKCS_not_exportable, CKM::Password(), key_lookup)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  
      // try to lookup certificate
      CKM::CertificateShPtr cert_lookup;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = manager->getCertificate(alias_PKCS_exportable, CKM::Password(), cert_lookup)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_NOT_EXPORTABLE == (tmp = manager->getCertificate(alias_PKCS_not_exportable, CKM::Password(), cert_lookup)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  }
  
  RUNNER_TEST(T1806_get_PKCS)
@@ -2447,17 +2548,17 @@ RUNNER_TEST(T1806_get_PKCS)
      // fail - no entry
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_UNKNOWN == (temp = manager->getPKCS12("i-do-not-exist", pkcs)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      // fail - not exportable
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_NOT_EXPORTABLE == (temp = manager->getPKCS12(alias_PKCS_not_exportable, pkcs)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      // success - exportable
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getPKCS12(alias_PKCS_exportable, pkcs)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      auto cert = pkcs->getCertificate();
      RUNNER_ASSERT_MSG(
@@ -2494,7 +2595,7 @@ RUNNER_TEST(T1807_create_and_verify_signature)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->verifySignature(
@@ -2504,7 +2605,7 @@ RUNNER_TEST(T1807_create_and_verify_signature)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1808_create_signature_on_raw_key_and_verify_on_PKCS)
@@ -2512,21 +2613,23 @@ RUNNER_TEST(T1808_create_signature_on_raw_key_and_verify_on_PKCS)
      int temp;
      auto manager = CKM::Manager::create();
  
-    std::string prv = "-----BEGIN RSA PRIVATE KEY-----\n"
-        "MIICXQIBAAKBgQD1W9neUbXL1rnq9SvyzprjhWBKXyYKQirG3V2zyUnUaE24Sq2I\n"
-        "v7ISrwMN/G6WcjrGmeZDEWwrL4zXh002N8BD1waJPRonxwtVkhFy3emGatSmx7eI\n"
-        "ely5H+PBNImRvBh2u4GWga6OEXcUNdfaBUcxn+P6548/zpDhyNLzQKk5FwIDAQAB\n"
-        "AoGAR+4WkBuqTUj1FlGsAbHaLKt0UDlWwJknS0eoacWwFEpDxqx19WolfV67aYVA\n"
-        "snBolMKXg7/+0yZMhv8Ofr+XaHkPQplVVn9BwT0rmtEovJXwx+poRP9Bm3emglj/\n"
-        "iYd8EkaXDlIXCtewtQW9JEIctWppntHj3TvA/h7FCXPN6SkCQQD/N7sn5S1gBkVh\n"
-        "dyXQKoyKsZDb7hMIS1q6cKwYCMf2UrsD1/lnr7xXkvORdL213MfueO8g0WkuKfRY\n"
-        "bDD6WGX1AkEA9hxiOlsgvermqLJkOlJffbSaM8n/6wtnM0HV+Vd9NfSBOmxFDXPO\n"
-        "vrvdgiDPENhbqTJSQVDsfzHilTpK7lEvWwJBAJLxHoOg0tg3pBiyxgWtic+M3q+R\n"
-        "ykl7QViY6KzJ2X98MIrM/Z7yMollZXE4+sVLwZ0O6fdGOr3GkBWc7TImVUUCQQC7\n"
-        "pf6bQfof9Ce0fnf/I+ldHkPost7nJsWkBlGQkM2OQwP5OK4ZyK/dK76DxmI7FMwm\n"
-        "oJCo7nuzq6R4ZX7WYJ47AkBavxBDo/e9/0Vk5yrloGKW3f8RQXBJLcCkVUGyyJ3D\n"
-        "3gu/nafW4hzjSJniTjC1fOj0eb0OSg1JAvqHTYAnUsI7\n"
-        "-----END RSA PRIVATE KEY-----";
+    std::string prv =
+        "-----BEGIN RSA PRIVATE KEY-----\n"
+        "MIICWwIBAAKBgQDDgmPurTQa3wbnlM+9nCEQvhDviYRvSC9TL5lAMBCmBSl93v0U\n"
+        "BXWsqO+fmAINm5QJa89hF5N7Q4xtvfSJUPIeyzowTOEGM4U3FnJtlsNQsoNbFlNy\n"
+        "QLoZZmmY4ljG6/YqX+JGBgS9/J8uvaDWkvs+ktkORygfNz4Gi5DERT7eeQIDAQAB\n"
+        "AoGAARIqx/js6yTDnesjxC8hwzy3TQic0Bs+Hx+IoGBjBvXKR2U8T6rD/UEjpuUn\n"
+        "RbnPcsnDZg3CAg/ZqhQ7TbFC0kPo+S6+wKsZGDWUUvnpMkdcZUqXel8GFhdnmeIh\n"
+        "22vYthP4TCbolxwXlwvuhu0PLZWhRO/Z+g37T3QENexqGv0CQQDmqJ9PDoUj5eUR\n"
+        "wWEqEPraoU6ARBUUX5EhmTT9g9/BXnhwumIOksDHcBqNUwNOlKCUlWfBOelO93Ys\n"
+        "PRW3QyejAkEA2P0tW/8iU4j+0a6DV+TUYFDTjD29y8KPw0Aj59591xD5eIPK3IgU\n"
+        "91vnmtvU/QR26PnMOx4OAPk9a7BtN62zMwJAIFV0950edtjMUr/cAgydTbadDYf9\n"
+        "uHxpGN+kOQGahT3b/llyU36o/YwufK8tYH+fPxTulXyrwwEXlL3/ZFBKpwJAeLGS\n"
+        "Wlp2WGqZ+j2MdwYkDxLGKHprKHwnBN6XWjCKZGbfrGX6H2Jd7xyinaNrO/UQwxO2\n"
+        "wqc7+NSpkk3G4jJuuwJAODYlk2Q+djE4jkjDc4xiqsQGBQlI2dlgzjRjIF4HWiLx\n"
+        "bIrI0uCCbGItx++hlvmDx7G8anBmIFfBWIaKdX0aWw==\n"
+        "-----END RSA PRIVATE KEY-----\n";
+
      std::string message = "message test";
  
      auto keyPrv = CKM::Key::create(CKM::RawBuffer(prv.begin(), prv.end()), CKM::Password());
@@ -2535,7 +2638,7 @@ RUNNER_TEST(T1808_create_signature_on_raw_key_and_verify_on_PKCS)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(alias_PKCS_priv_key_copy, keyPrv, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      CKM::HashAlgorithm hash = CKM::HashAlgorithm::SHA256;
      CKM::RSAPaddingAlgorithm padd = CKM::RSAPaddingAlgorithm::PKCS1;
@@ -2549,7 +2652,7 @@ RUNNER_TEST(T1808_create_signature_on_raw_key_and_verify_on_PKCS)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->verifySignature(
@@ -2559,7 +2662,7 @@ RUNNER_TEST(T1808_create_signature_on_raw_key_and_verify_on_PKCS)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1809_create_signature_on_wrong_key_and_verify_on_PKCS)
@@ -2591,7 +2694,7 @@ RUNNER_TEST(T1809_create_signature_on_wrong_key_and_verify_on_PKCS)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->saveKey(alias_PKCS_priv_key_wrong, keyPrv, CKM::Policy())),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      CKM::HashAlgorithm hash = CKM::HashAlgorithm::SHA256;
      CKM::RSAPaddingAlgorithm padd = CKM::RSAPaddingAlgorithm::PKCS1;
@@ -2605,7 +2708,7 @@ RUNNER_TEST(T1809_create_signature_on_wrong_key_and_verify_on_PKCS)
                                          hash,
                                          padd,
                                          signature)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_VERIFICATION_FAILED == (temp = manager->verifySignature(
@@ -2615,7 +2718,7 @@ RUNNER_TEST(T1809_create_signature_on_wrong_key_and_verify_on_PKCS)
                                          signature,
                                          hash,
                                          padd)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1810_verify_get_certificate_chain)
@@ -2623,15 +2726,21 @@ RUNNER_TEST(T1810_verify_get_certificate_chain)
      // this certificate has been signed using PKCS chain
      std::string im =
          "-----BEGIN CERTIFICATE-----\n"
-        "MIIBozCCAQwCAQEwDQYJKoZIhvcNAQEFBQAwHDEaMBgGA1UEAwwRc2VydmVyQHRl\n"
-        "c3RtZS5jb20wHhcNMTUxMjA5MTA0NjU0WhcNMjUxMjA2MTA0NjU0WjAYMRYwFAYD\n"
-        "VQQDDA1lZUB0ZXN0bWUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDP\n"
-        "+fNsZB1Vlmhnk0IwYDs7Pw9E38KQfTt/egqqRFN6IvIt0CCDBXqnPTujuvlO2OyL\n"
-        "XVuALnIBmTDm5Oz+oz+qiY6/XrVS/CoACNZyMo6ihG9OeocvDbU3jXEaPGL6ib/x\n"
-        "jlms0aA9d5L9TO2lEzEP7bFKgHCB8FWINcxSP5zl1QIDAQABMA0GCSqGSIb3DQEB\n"
-        "BQUAA4GBAKBpVJMkdK6/qnAz7d7Bul/BhhSLEYbNPdxRiUj3U2dt0GJgswMu2SNT\n"
-        "/3NXB8V8mnnXR6cWn5bmjyA7ZpQEKAatS/KEQ9wfLXyCgYDRebX71mVKAI3XcyxB\n"
-        "p2qsOWWaJhuHmC1GVjx3foL+RDrmRo6BiucNHMIuvrd1W36eKdhj\n"
+        "MIICxDCCAi0CFGHuCEUksqn0Rr3SXdhn+TlnL804MA0GCSqGSIb3DQEBCwUAMGEx\n"
+        "CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl\n"
+        "cm5ldCBXaWRnaXRzIFB0eSBMdGQxGjAYBgNVBAMMEXNlcnZlckB0ZXN0bWUuY29t\n"
+        "MB4XDTE5MDYxMzEyMTkyNloXDTI5MDYxMDEyMTkyNlowXTELMAkGA1UEBhMCQVUx\n"
+        "EzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMg\n"
+        "UHR5IEx0ZDEWMBQGA1UEAwwNZWVAdGVzdG1lLmNvbTCCASIwDQYJKoZIhvcNAQEB\n"
+        "BQADggEPADCCAQoCggEBAK3/XvE3uc2EhzwmsAfq6KEw52J8kCAB9Rma/qjkw6ZT\n"
+        "yUYmSQvmcK8wSDt015Y/ekYLereCeWNLNkFlQeZC7LHT6T1mGnxNIgL3oUS2c+15\n"
+        "FEYX9QJIN/CoJYQ/tmiQPa1OJz4prUFwqAzM1kRtHGfcAGmQHfgu77P3ljAJzfsW\n"
+        "2beVHM+MTNSybkGHql28Z93bp382k5FQXegkxbozsKBMk37QjKiqes29J/ET0Huy\n"
+        "yzOkf+XvbizIPRvMt/2guw9sgRb7YrM2M+igmHIHxfzxuqzpPr+bmcqQdyFdVkAK\n"
+        "Qcx930HbfjHJ5k5vcovPLQ3LvSnYVCTe7aCAAmMzKXsCAwEAATANBgkqhkiG9w0B\n"
+        "AQsFAAOBgQBfFMim/9zLd+EeZyeYA0vy3C9YuNJI+KsZlKAfrFDQNeIT/qg/GQM4\n"
+        "o7I3TIHQ62tdEx6nBJs0DKSAmhRh4yc+P1KHMzIQIgSjftqS3Z+AKbJn6vOpWNTq\n"
+        "cexnpexaNn69dbqJZsjr0fHsGAkh5n96icAB4VZyFncEknZKbTdd0g==\n"
          "-----END CERTIFICATE-----\n";
  
      auto cert = CKM::Certificate::create(CKM::RawBuffer(im.begin(), im.end()), CKM::DataFormat::FORM_PEM);
@@ -2649,7 +2758,7 @@ RUNNER_TEST(T1810_verify_get_certificate_chain)
                                         true,
                                         certChain);
      RUNNER_ASSERT_MSG(CKM_API_ERROR_VERIFICATION_FAILED == tmp,
-                         "Error=" << CKMErrorToString(tmp));
+                         "Error=" << CKM::APICodeToString(tmp));
  
      RUNNER_ASSERT_MSG(
          0 == certChain.size(),
@@ -2658,7 +2767,7 @@ RUNNER_TEST(T1810_verify_get_certificate_chain)
      aliasVector.push_back(alias_PKCS_exportable);
  
      tmp = manager->getCertificateChain(cert, EMPTY_ALIAS_VECTOR, aliasVector, false, certChain);
-    RUNNER_ASSERT_MSG(CKM_API_SUCCESS == tmp, "Error=" << CKMErrorToString(tmp));
+    RUNNER_ASSERT_MSG(CKM_API_SUCCESS == tmp, "Error=" << CKM::APICodeToString(tmp));
  
      // 1(cert) + 1(pkcs12 cert) + 2(pkcs12 chain cert) = 4
      RUNNER_ASSERT_MSG(
@@ -2675,29 +2784,29 @@ RUNNER_TEST(T1811_remove_bundle_with_chain_certificates)
      // remove the whole PKCS12 bundles
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = manager->removeAlias(alias_PKCS_exportable)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = manager->removeAlias(alias_PKCS_not_exportable)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  
      // expect lookup fails due to unknown alias
      // try to lookup key
      CKM::KeyShPtr key_lookup;
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_UNKNOWN == (tmp = manager->getKey(alias_PKCS_exportable, CKM::Password(), key_lookup)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_UNKNOWN == (tmp = manager->getKey(alias_PKCS_not_exportable, CKM::Password(), key_lookup)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  
      // try to lookup certificate
      CKM::CertificateShPtr cert_lookup;
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_UNKNOWN == (tmp = manager->getCertificate(alias_PKCS_exportable, CKM::Password(), cert_lookup)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_UNKNOWN == (tmp = manager->getCertificate(alias_PKCS_not_exportable, CKM::Password(), cert_lookup)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  }
  
  RUNNER_TEST(T1812_get_pkcs12_password_tests)
@@ -2724,32 +2833,32 @@ RUNNER_TEST(T1812_get_pkcs12_password_tests)
      int temp;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->savePKCS12(alias, pkcs, CKM::Policy(pass1), CKM::Policy(pass2))),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_AUTHENTICATION_FAILED == (temp = manager->getPKCS12(alias, pkcs)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_AUTHENTICATION_FAILED == (temp = manager->getPKCS12(alias, CKM::Password(), CKM::Password(), pkcs)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_AUTHENTICATION_FAILED == (temp = manager->getPKCS12(alias, pass1, CKM::Password(), pkcs)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_AUTHENTICATION_FAILED == (temp = manager->getPKCS12(alias, CKM::Password(), pass2, pkcs)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getPKCS12(alias, pass1, pass2, pkcs)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      CKM::CertificateShPtr cert;
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = manager->getCertificate(alias, pass2, cert)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  
      CKM::CertificateShPtrVector certChain;
      CKM::AliasVector certVect;
@@ -2757,7 +2866,7 @@ RUNNER_TEST(T1812_get_pkcs12_password_tests)
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_AUTHENTICATION_FAILED == (temp = manager->getCertificateChain(cert, certVect, certVect, true, certChain)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST(T1813_deinit)
@@ -2767,7 +2876,7 @@ RUNNER_TEST(T1813_deinit)
  
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (temp = control->lockUserKey(USER_APP)),
-        "Error=" << CKMErrorToString(temp));
+        "Error=" << CKM::APICodeToString(temp));
  }
  
  RUNNER_TEST_GROUP_INIT(T190_CKM_EMPTY_STORAGE_TESTS);
@@ -2790,7 +2899,7 @@ RUNNER_TEST(T1902_get_data)
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_ALIAS_UNKNOWN == status1,
-        "Could not put certificate in datbase. Error=" << CKMErrorToString(status1));
+        "Could not put certificate in datbase. Error=" << CKM::APICodeToString(status1));
  }
  
  RUNNER_TEST(T1903_lock_database)
@@ -2799,7 +2908,7 @@ RUNNER_TEST(T1903_lock_database)
      auto control = CKM::Control::create();
      RUNNER_ASSERT_MSG(
          CKM_API_SUCCESS == (tmp = control->lockUserKey(USER_APP)),
-        "Error=" << CKMErrorToString(tmp));
+        "Error=" << CKM::APICodeToString(tmp));
  }
  
  RUNNER_TEST(T1904_get_data_from_locked_database)
@@ -2811,7 +2920,7 @@ RUNNER_TEST(T1904_get_data_from_locked_database)
  
      RUNNER_ASSERT_MSG(
          CKM_API_ERROR_DB_LOCKED == status1,
-        "Could not get key from locked database. Error=" << CKMErrorToString(status1));
+        "Could not get key from locked database. Error=" << CKM::APICodeToString(status1));
  }
  
  RUNNER_TEST(T1905_deinit)
diff --git a/src/ckm/unprivileged/sign-verify.cpp b/src/ckm/unprivileged/sign-verify.cpp

new file mode 100644 (file)

index 0000000..c1a7b44
--- /dev/null
+++ b/src/ckm/unprivileged/sign-verify.cpp
@@ -0,0 +1,492 @@
+/*
+ *  Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License
+ */
+/*
+ * @file       sign-verify.cpp
+ * @author     Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+ * @version    1.0
+ */
+
+#include <string>
+#include <vector>
+#include <unordered_map>
+
+#include <dpl/test/test_runner.h>
+#include <ckm-common.h>
+#include <ckmc/ckmc-manager.h>
+#include <ckmc/ckmc-control.h>
+#include <ckm/ckm-type.h>
+#include <ckm/ckm-manager.h>
+
+using namespace CKM;
+
+namespace {
+
+const char* PASSWORD = "test-password";
+const uid_t UID = 5001;
+
+struct KeyAliasPair
+{
+    Alias prv;
+    Alias pub;
+};
+
+enum Algo {
+    RSA,
+    DSA,
+    ECDSA
+};
+
+// algo names
+const std::unordered_map<Algo, std::string> ALGO2STR = {
+        { RSA,   "RSA" },
+        { DSA,   "DSA" },
+        { ECDSA, "ECDSA" },
+};
+
+// keys
+std::unordered_map<Algo, std::unordered_map<size_t, std::vector<KeyAliasPair>>> KEYS;
+
+enum KeyIdx {
+    PRIMARY = 0,
+    PASSWORD_PROTECTED = 1,
+
+    KEY_IDX_MAX
+};
+
+// hash algo names
+const std::unordered_map<ckmc_hash_algo_e, std::string> HASH2STR = {
+#ifndef TZ_BACKEND
+        // no hash is not supported in TZ
+        { CKMC_HASH_NONE,   "NONE" },
+#endif
+        { CKMC_HASH_SHA1,   "SHA1" },
+        { CKMC_HASH_SHA256, "SHA256" },
+        { CKMC_HASH_SHA384, "SHA384" },
+        { CKMC_HASH_SHA512, "SHA512" },
+};
+
+// padding names
+const std::unordered_map<ckmc_rsa_padding_algo_e, std::string> PAD2STR = {
+#ifndef TZ_BACKEND
+        // no padding is not supported in TZ
+        { CKMC_NONE_PADDING,    "NONE" },
+#endif
+        { CKMC_PKCS1_PADDING,   "PKCS1" },
+#ifndef TZ_BACKEND
+        // X9.31 is not supported in TZ
+        { CKMC_X931_PADDING,    "X931" },
+#endif
+};
+
+const int EC_PRIME192V1 = static_cast<int>(ElipticCurve::prime192v1);
+const int EC_PRIME256V1 = static_cast<int>(ElipticCurve::prime256v1);
+const int EC_SECP384R1 = static_cast<int>(ElipticCurve::secp384r1);
+
+// test  messages
+RawBufferPtr MESSAGE_SHORT;
+std::unordered_map<size_t, RawBufferPtr> MESSAGES;
+RawBufferPtr MESSAGE_LONG;
+
+class SignVerifyGroupFixture: public DPL::Test::TestGroup
+{
+public:
+    void Init() override
+    {
+        remove_user_data(UID);
+        int ret = ckmc_unlock_user_key(UID, "db-pass");
+        if (ret != CKMC_ERROR_NONE)
+            RUNNER_ERROR_MSG("DB unlock failed: " << CKMCErrorToString(ret));
+
+        // Policy backend to use in subsequent operations (global for each test case)
+#ifdef TZ_BACKEND
+        m_backend = PolicyBackend::FORCE_HARDWARE;
+#else
+        m_backend = PolicyBackend::FORCE_SOFTWARE;
+#endif
+
+        // generate keys
+        m_manager = Manager::create();
+        generateKeys(RSA, 1024);
+        generateKeys(RSA, 2048);
+        generateKeys(RSA, 4096);
+        generateKeys(DSA, 1024);
+#ifndef TZ_BACKEND
+        /*
+         * For DSA with SHA1 only 1024-bit keys are supported and TZ does not currently support
+         * anything else than SHA1 for DSA.
+         */
+        generateKeys(DSA, 2048);
+        generateKeys(DSA, 3072);
+        generateKeys(DSA, 4096);
+#endif
+#ifndef TZ_BACKEND
+        // ECDSA is not yet supported on TZ
+        generateKeys(ECDSA, EC_PRIME192V1);
+        generateKeys(ECDSA, EC_PRIME256V1);
+        generateKeys(ECDSA, EC_SECP384R1);
+#endif
+
+        MESSAGE_SHORT = create_raw_buffer(createRandomBufferCAPI(512/8));
+
+        // Set first byte to 0 to avoid "data too large for modulus" error in unpadded RSA
+        MESSAGES[1024] = create_raw_buffer(createRandomBufferCAPI(1024/8));
+        MESSAGES[1024]->data[0] = 0;
+        MESSAGES[2048] = create_raw_buffer(createRandomBufferCAPI(2048/8));
+        MESSAGES[2048]->data[0] = 0;
+        MESSAGES[3072] = create_raw_buffer(createRandomBufferCAPI(3072/8));
+        MESSAGES[3072]->data[0] = 0;
+        MESSAGES[4096]= create_raw_buffer(createRandomBufferCAPI(4096/8));
+        MESSAGES[4096]->data[0] = 0;
+
+        MESSAGE_LONG = create_raw_buffer(createRandomBufferCAPI(1000));
+    }
+
+    void generateKeys(Algo type, size_t bitLen)
+    {
+        for (int i = 0; i < KEY_IDX_MAX; i++)
+        {
+            Policy prvPolicy(Password(), false, m_backend);
+            Policy pubPolicy(Password(), true, m_backend);
+            if (i == PASSWORD_PROTECTED) {
+                prvPolicy.password.assign(PASSWORD);
+                pubPolicy.password.assign(PASSWORD);
+            }
+
+            KeyAliasPair alias;
+            alias.prv = ALGO2STR.at(type) + std::string("_") + std::to_string(bitLen) +
+                        std::string("_") + std::to_string(i);
+            alias.pub = std::string("pub") + alias.prv;
+            int ret;
+            switch (type)
+            {
+            case RSA:
+                ret = m_manager->createKeyPairRSA(bitLen,
+                                                  alias.prv, alias.pub,
+                                                  prvPolicy, pubPolicy);
+                break;
+            case DSA:
+                ret = m_manager->createKeyPairDSA(bitLen,
+                                                  alias.prv, alias.pub,
+                                                  prvPolicy, pubPolicy);
+                break;
+            case ECDSA:
+                ret = m_manager->createKeyPairECDSA(static_cast<ElipticCurve>(bitLen),
+                                                    alias.prv, alias.pub,
+                                                    prvPolicy, pubPolicy);
+                break;
+            default:
+                ret = CKM_API_ERROR_UNKNOWN;
+            }
+            if (ret != CKM_API_SUCCESS)
+                RUNNER_ERROR_MSG("key creation failed. Type: " << ALGO2STR.at(type) <<
+                                 " bits: " << bitLen << " error: " <<  APICodeToString(ret));
+
+            KEYS[type][bitLen].push_back(alias);
+        }
+    }
+
+    void Finish() override
+    {
+        for (const auto &type : KEYS) {
+            for (const auto &entry : type.second) {
+                for (const auto &keyPair : entry.second) {
+                    m_manager->removeAlias(keyPair.prv);
+                    m_manager->removeAlias(keyPair.pub);
+                }
+            }
+        }
+
+        MESSAGE_SHORT.reset();
+
+        int ret = ckmc_lock_user_key(UID);
+        if (ret != CKMC_ERROR_NONE)
+            RUNNER_ERROR_MSG("DB lock failed: " << CKMCErrorToString(ret));
+        remove_user_data(UID);
+    }
+private:
+    ManagerShPtr m_manager;
+    PolicyBackend m_backend;
+};
+
+std::string params2str(const Alias& alias,
+                       const ckmc_hash_algo_e hash,
+                       const ckmc_rsa_padding_algo_e padding,
+                       const RawBufferPtr& message)
+{
+    std::stringstream ss;
+    ss << " Alias: " <<  alias << ", hash algo: " << HASH2STR.at(hash) <<
+          ", padding: " << PAD2STR.at(padding) << ", message len: " << message->size << "B.";
+    return ss.str();
+}
+
+void signExpect(int expected,
+                const Alias& alias,
+                const char* pw,
+                const RawBufferPtr& message,
+                const ckmc_hash_algo_e hash,
+                const ckmc_rsa_padding_algo_e padding,
+                RawBufferPtr& signature)
+{
+    ckmc_raw_buffer_s* cSignature = nullptr;
+
+    int ret = ckmc_create_signature(alias.c_str(), pw, *message, hash, padding, &cSignature);
+    RUNNER_ASSERT_MSG(ret == expected, "Unexpected result during signature creation." <<
+                                       params2str(alias, hash, padding, message) <<
+                                       " Expected: " << CKMCErrorToString(expected) <<
+                                       " got: " << CKMCErrorToString(ret));
+    if (ret == CKMC_ERROR_NONE) {
+        RUNNER_ASSERT_MSG(cSignature != nullptr && cSignature->size > 0,
+                          "Empty signature returned." <<
+                          params2str(alias, hash, padding, message));
+        signature = create_raw_buffer(cSignature);
+    } else {
+        RUNNER_ASSERT_MSG(cSignature == nullptr,
+                          "Non-empty signature returned." <<
+                          params2str(alias, hash, padding, message));
+    }
+}
+
+void signInvalid(const Alias& alias,
+                 const char* pw,
+                 const RawBufferPtr& message,
+                 const ckmc_hash_algo_e hash,
+                 const ckmc_rsa_padding_algo_e padding)
+{
+    RawBufferPtr signature;
+    signExpect(CKMC_ERROR_INVALID_PARAMETER, alias, pw, message, hash, padding, signature);
+}
+
+void verifyExpect(int expected,
+                  const Alias& alias,
+                  const char* pw,
+                  const RawBufferPtr& message,
+                  const ckmc_hash_algo_e hash,
+                  const ckmc_rsa_padding_algo_e padding,
+                  const RawBufferPtr& signature)
+{
+    int ret = ckmc_verify_signature(alias.c_str(), pw, *message, *signature, hash, padding);
+    RUNNER_ASSERT_MSG(ret == expected, "Unexpected result during signature verification." <<
+                                       params2str(alias, hash, padding, message) <<
+                                       " Expected: " << CKMCErrorToString(expected) <<
+                                       " got: " << CKMCErrorToString(ret));
+}
+
+void signVerify(const KeyAliasPair& aliasPair,
+                const char* pw,
+                const RawBufferPtr& message,
+                const ckmc_hash_algo_e hash,
+                const ckmc_rsa_padding_algo_e padding)
+{
+    RawBufferPtr signature;
+    signExpect(CKMC_ERROR_NONE, aliasPair.prv, pw, message, hash, padding, signature);
+
+    RUNNER_ASSERT_MSG(signature->size > 0, "Empty signature returned");
+
+    verifyExpect(CKMC_ERROR_NONE, aliasPair.pub, pw, message, hash, padding, signature);
+
+    // modify 1 bit of the signature
+    signature->data[0] ^= 0x01;
+
+    // expect verification failure
+    verifyExpect(CKMC_ERROR_VERIFICATION_FAILED,
+                 aliasPair.pub,
+                 pw,
+                 message,
+                 hash,
+                 padding,
+                 signature);
+}
+// test given key pair against all hash and padding algos
+void testSignVerify(Algo algo, size_t keyBits, int idx)
+{
+#ifdef TZ_BACKEND
+    if (algo == DSA && keyBits > 1024)
+        RUNNER_IGNORED_MSG("For DSA with SHA1 only 1024-bit keys are supported and TZ does not"\
+                           " currently support anything else than SHA1 for DSA.");
+    if (algo == ECDSA)
+        RUNNER_IGNORED_MSG("ECDSA is not yet supported in TZ");
+#endif
+
+    std::string pw;
+    if (idx == PASSWORD_PROTECTED)
+        pw = PASSWORD;
+
+    const KeyAliasPair& keys = KEYS[algo][keyBits][idx];
+
+    // iterate over hash algorithms
+    for (const auto& hash : HASH2STR) {
+#ifdef TZ_BACKEND
+        // in case of DSA only SHA1 is supported on TZ
+        if (algo == DSA && hash.first != CKMC_HASH_SHA1)
+            continue;
+#endif
+
+        // iterate over padding algorithms
+        for (const auto& pad : PAD2STR) {
+            auto expectSuccess = [&](const RawBufferPtr& msg) {
+                signVerify(keys, pw.c_str(), msg, hash.first, pad.first);
+            };
+            auto expectInvalid = [&](const RawBufferPtr& msg) {
+                signInvalid(keys.prv, pw.c_str(), msg, hash.first, pad.first);
+            };
+
+            // padding is for RSA only, other algos should ignore it
+            if (algo == RSA && pad.first == CKMC_NONE_PADDING) {
+                if (hash.first == CKMC_HASH_NONE) {
+                    // no hash + no padding + key matching message
+                    expectSuccess(MESSAGES.at(keyBits));
+                }
+                // no padding + short message
+                expectInvalid(MESSAGE_SHORT);
+
+                // no padding + long message
+                expectInvalid(MESSAGE_LONG);
+
+            } else {
+                if (hash.first == CKMC_HASH_NONE) {
+                    // no hash + padding + long message
+                    expectInvalid(MESSAGE_LONG);
+
+                    // no hash + padding + short message
+                    if (algo == RSA)
+                        expectSuccess(MESSAGE_SHORT);
+                    else
+                        expectInvalid(MESSAGE_SHORT); // no support for CKMC_HASH_NONE
+                } else {
+                    // hash + padding + short message
+                    expectSuccess(MESSAGE_SHORT);
+
+                    // hash + padding + long message
+                    expectSuccess(MESSAGE_LONG);
+                }
+            }
+        }
+    }
+}
+
+} // namespace anonymous
+
+RUNNER_TEST_GROUP_INIT_ENV(CKM_SIGN_VERIFY, SignVerifyGroupFixture);
+
+
+// RSA
+RUNNER_TEST(TSV_0110_sign_verify_rsa_1024)
+{
+    testSignVerify(RSA, 1024, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0120_sign_verify_rsa_1024_pw)
+{
+    testSignVerify(RSA, 1024, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0130_sign_verify_rsa_2048)
+{
+    testSignVerify(RSA, 2048, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0140_sign_verify_rsa_2048_pw)
+{
+    testSignVerify(RSA, 2048, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0150_sign_verify_rsa_4096)
+{
+    testSignVerify(RSA, 4096, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0160_sign_verify_rsa_4096_pw)
+{
+    testSignVerify(RSA, 4096, PASSWORD_PROTECTED);
+}
+
+
+// DSA
+RUNNER_TEST(TSV_0210_sign_verify_dsa_1024)
+{
+    testSignVerify(DSA, 1024, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0220_sign_verify_dsa_1024_pw)
+{
+    testSignVerify(DSA, 1024, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0230_sign_verify_dsa_2048)
+{
+    testSignVerify(DSA, 2048, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0240_sign_verify_dsa_2048_pw)
+{
+    testSignVerify(DSA, 2048, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0250_sign_verify_dsa_3072)
+{
+    testSignVerify(DSA, 3072, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0260_sign_verify_dsa_3072_pw)
+{
+    testSignVerify(DSA, 3072, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0270_sign_verify_dsa_4096)
+{
+    testSignVerify(DSA, 4096, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0280_sign_verify_dsa_4096_pw)
+{
+    testSignVerify(DSA, 4096, PASSWORD_PROTECTED);
+}
+
+
+// ECDSA
+RUNNER_TEST(TSV_0310_sign_verify_ecdsa_PRIME192V1)
+{
+    testSignVerify(ECDSA, EC_PRIME192V1, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0320_sign_verify_ecdsa_PRIME192V1_pw)
+{
+    testSignVerify(ECDSA, EC_PRIME192V1, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0330_sign_verify_ecdsa_PRIME256V1)
+{
+    testSignVerify(ECDSA, EC_PRIME256V1, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0340_sign_verify_ecdsa_PRIME256V1_pw)
+{
+    testSignVerify(ECDSA, EC_PRIME256V1, PASSWORD_PROTECTED);
+}
+
+RUNNER_TEST(TSV_0350_sign_verify_ecdsa_SECP384R1)
+{
+    testSignVerify(ECDSA, EC_SECP384R1, PRIMARY);
+}
+
+RUNNER_TEST(TSV_0360_sign_verify_ecdsa_SECP384R1_pw)
+{
+    testSignVerify(ECDSA, EC_SECP384R1, PASSWORD_PROTECTED);
+}
+
+// TODO: border cases for padding
+// TODO: invalid arguments
+// TODO: Big data
diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt

index caccd72..b97fc80 100644 (file)
--- a/src/common/CMakeLists.txt
+++ b/src/common/CMakeLists.txt
@@ -12,7 +12,9 @@ PKG_CHECK_MODULES(COMMON_TARGET_DEP
      cynara-creds-socket
      cynara-creds-dbus
      cynara-creds-gdbus
+    cynara-creds-sd-bus
      security-manager
+    security-privilege-manager
      REQUIRED
      )
  
@@ -44,6 +46,8 @@ SET(COMMON_TARGET_TEST_SOURCES
      ${PROJECT_SOURCE_DIR}/src/common/sm_user_request.cpp
      ${PROJECT_SOURCE_DIR}/src/common/sm_policy_request.cpp
      ${PROJECT_SOURCE_DIR}/src/common/tzplatform.cpp
+    ${PROJECT_SOURCE_DIR}/src/common/privilege_manager.cpp
+    ${PROJECT_SOURCE_DIR}/src/common/scoped_process_label.cpp
      )
  
  #system and local includes
diff --git a/src/common/access_provider.cpp b/src/common/access_provider.cpp

index 1d3257a..fb53d86 100644 (file)
--- a/src/common/access_provider.cpp
+++ b/src/common/access_provider.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -28,6 +28,7 @@
  #include <tests_common.h>
  
  #include <access_provider.h>
+#include <scoped_process_label.h>
  
  namespace SecurityServer {
  
@@ -55,8 +56,7 @@ void AccessProvider::applyAndSwithToUser(int uid, int gid) {
      RUNNER_ASSERT_MSG(0 == smack_revoke_subject(m_myLabel.c_str()),
          "Error in smack_revoke_subject(" << m_myLabel << ")");
      apply();
-    RUNNER_ASSERT_MSG(0 == smack_set_label_for_self(m_myLabel.c_str()),
-        "Error in smack_set_label_for_self.");
+    ScopedProcessLabel spl(m_myLabel, false);
      RUNNER_ASSERT_MSG(0 == setgid(gid),
          "Error in setgid.");
      RUNNER_ASSERT_MSG(0 == setuid(uid),
diff --git a/src/common/app_def_privilege.h b/src/common/app_def_privilege.h

index 6d00972..d399dac 100644 (file)
--- a/src/common/app_def_privilege.h
+++ b/src/common/app_def_privilege.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2018 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ public:
          UNSET,
          UNTRUSTED,
          LICENSED,
+        PRIVACY,
      };
  
      Privilege(std::string systemPrivilege, Type type = UNSET, std::string license = std::string())
@@ -46,6 +47,7 @@ public:
      bool isUnset() const { return m_type == UNSET; }
      bool isUntrusted() const { return m_type == UNTRUSTED; }
      bool isLicensed() const { return m_type == LICENSED; }
+    bool isPrivacy() const { return m_type == PRIVACY; }
  
      int getType() const { return m_type; }
      app_defined_privilege_type getSMType () const {
diff --git a/src/common/app_install_helper.cpp b/src/common/app_install_helper.cpp

index 093da6b..1f6e0e8 100644 (file)
--- a/src/common/app_install_helper.cpp
+++ b/src/common/app_install_helper.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -34,6 +34,9 @@
  #include "app_install_helper.h"
  
  namespace {
+
+const gid_t FILE_GROUP = 100;
+
      std::string genSkelPath() {
          static std::string skelPkgDir;
          if (!skelPkgDir.empty())
@@ -94,6 +97,18 @@ void AppInstallHelper::setInstallPath(RootType type) const {
      case RootType::SKEL:
          info.path = genSkelPath() + "/" + getPkgId();
          break;
+    case RootType::SHARED:
+        if (m_isLocal)
+            info.path = TzPlatformConfig::appDirPath(getUID()) + ".shared/" + getPkgId();
+        else
+            info.path = TzPlatformConfig::globalAppDir() + "/.shared/" + getPkgId();
+        break;
+    case RootType::SHARED_TMP:
+        if (m_isLocal)
+            info.path = TzPlatformConfig::appDirPath(getUID()) + ".shared_tmp/" + getPkgId();
+        else
+            info.path = TzPlatformConfig::globalAppDir() + "/.shared_tmp/" + getPkgId();
+        break;
      }
  }
  
@@ -110,7 +125,7 @@ std::string AppInstallHelper::getPath(app_install_path_type smType, PathType pTy
          break;
      case PathType::FILE:
          // put files in the directory of the same type
-        path = getInstallDir(rType) + "/" + typeToPath.at(smType) + "_dir0/" + typeToPath.at(smType) + std::to_string(i);
+        path = getPath(smType, PathType::DIR, 0, rType) + "/" + typeToPath.at(smType) + std::to_string(i);
          break;
      }
      return path;
@@ -137,7 +152,11 @@ std::string AppInstallHelper::getPrivatePath(int i, RootType type) const {
  }
  
  std::string AppInstallHelper::getSharedRODir(int i, RootType type) const {
-    return getPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::DIR, i, type);
+return getPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::DIR, i, type);
+}
+
+std::string AppInstallHelper::getSharedROPath(int i, RootType type) const {
+    return getPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::FILE, i, type);
  }
  
  std::string AppInstallHelper::getAppId() const {
@@ -167,8 +186,8 @@ int AppInstallHelper::getGID() const {
  bool AppInstallHelper::createFile(app_install_path_type smType, const std::string &path) {
      if (creat(path.c_str(), 0751) == 0) {
          // Local paths need user change
-        m_fileTypeMap[smType].push_back(std::move(path));
-        if (!m_isLocal || chown(path.c_str(), m_uidGid, m_uidGid) == 0)
+        m_fileTypeMap[smType].push_back(path);
+        if (!m_isLocal || chown(path.c_str(), m_uidGid, FILE_GROUP) == 0)
              return true;
      }
      return false;
@@ -178,8 +197,8 @@ bool AppInstallHelper::createDir(app_install_path_type smType, const std::string
      mktreeSafe(path, 0777);
      // Dont pass base pkg dirs to SM, because transmute will be forced on RO subdirs
      if (!isBasePath)
-        m_dirTypeMap[smType].push_back(std::move(path));
-    if (!m_isLocal || chown(path.c_str(), m_uidGid, m_uidGid) == 0)
+        m_dirTypeMap[smType].push_back(path);
+    if (!m_isLocal || chown(path.c_str(), m_uidGid, FILE_GROUP) == 0)
          return true;
  
      return false;
@@ -202,12 +221,25 @@ void AppInstallHelper::createPath(app_install_path_type smType, PathType pType,
          createDir(smType, path);
          break;
      case PathType::FILE:
-        createPath(smType, PathType::DIR, i, rType);
+        createPath(smType, PathType::DIR, 0, rType);
          createFile(smType, path);
          break;
      }
  }
  
+void AppInstallHelper::createDirLink(app_install_path_type smType, const std::string &dest, int i,
+                                     RootType rType)
+{
+    createInstallDir(rType);
+    std::string linkPath = getPath(smType, PathType::DIR, i, rType);
+    if (symlink(dest.c_str(), linkPath.c_str()) == 0) {
+        m_fileTypeMap[smType].push_back(linkPath);
+        if (m_isLocal) {
+            chown(linkPath.c_str(), m_uidGid, FILE_GROUP);
+        }
+    }
+}
+
  void AppInstallHelper::createTrustedDir(int i, RootType type) {
      createPath(SECURITY_MANAGER_PATH_TRUSTED_RW, PathType::DIR, i, type);
  }
@@ -225,7 +257,14 @@ void AppInstallHelper::createPrivateFile(int i, RootType type) {
  }
  
  void AppInstallHelper::createSharedRODir(int i, RootType type) {
-    createPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::DIR, i, type);
+    createPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::DIR, i, RootType::SHARED);
+    createInstallDir(RootType::SHARED_TMP);
+    auto linkPath = getSharedRODir(i, RootType::SHARED);
+    createDirLink(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, linkPath, i, type);
+}
+
+void AppInstallHelper::createSharedROFile(int i, RootType type) {
+    createPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::FILE, i, type);
  }
  
  void AppInstallHelper::createPrivateRODir(int i, RootType type) {
diff --git a/src/common/app_install_helper.h b/src/common/app_install_helper.h

index e238261..cefeb71 100644 (file)
--- a/src/common/app_install_helper.h
+++ b/src/common/app_install_helper.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -90,7 +90,9 @@ struct AppInstallHelper {
      enum RootType {
          BASE,
          SKEL,
-        EXTENDED
+        EXTENDED,
+        SHARED,
+        SHARED_TMP
      };
  
      enum PathType {
@@ -107,6 +109,7 @@ struct AppInstallHelper {
      void createPublicDir(RootType type = RootType::BASE);
      void createPrivateFile(int i = 0, RootType type = RootType::BASE);
      void createSharedRODir(int i = 0, RootType type = RootType::BASE);
+    void createSharedROFile(int i = 0, RootType type = RootType::BASE);
      void createPrivateRODir(int i = 0, RootType type = RootType::BASE);
      void removePaths();
  
@@ -121,6 +124,7 @@ struct AppInstallHelper {
      std::string getPublicDir(RootType type = RootType::BASE) const;
      std::string getPrivatePath(int i = 0, RootType type = RootType::BASE) const;
      std::string getSharedRODir(int i = 0, RootType type = RootType::BASE) const;
+    std::string getSharedROPath(int i = 0, RootType type = RootType::BASE) const;
      const TypePathsMap& getDirsMap() const;
      const TypePathsMap& getFilesMap() const;
  
@@ -155,6 +159,8 @@ protected:
  
      bool createFile(app_install_path_type smType, const std::string &path);
      bool createDir(app_install_path_type smType, const std::string &path, bool isBasePath = false);
+    void createDirLink(app_install_path_type smType, const std::string &dest, int i = 0,
+                       RootType rType = RootType::BASE);
      void createInstallDir(RootType type);
  
      std::string m_appName;
diff --git a/src/common/cynara_helpers_creds.cpp b/src/common/cynara_helpers_creds.cpp

index dc1c904..deaaf93 100644 (file)
--- a/src/common/cynara_helpers_creds.cpp
+++ b/src/common/cynara_helpers_creds.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2015-2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2015-2018 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -25,6 +25,7 @@
  #include <cynara-creds-dbus.h>
  #include <cynara-creds-socket.h>
  #include <cynara-creds-gdbus.h>
+#include <cynara-creds-sd-bus.h>
  
  #include "cynara_helpers_creds.h"
  
@@ -113,4 +114,32 @@ pid_t gdbusGetPid(GDBusConnectionPtr connection, const char *uniqueName) {
      return pid;
  }
  
+char *sdBusGetClient(SdBusConnectionPtr connection, const char *uniqueName,
+                     cynara_client_creds method, int expectedResult) {
+    char *buff = nullptr;
+    auto ret = cynara_creds_sd_bus_get_client(connection.get(), uniqueName, method, &buff);
+    RUNNER_ASSERT_MSG(ret == expectedResult,
+                      "cynara_creds_sd_bus_get_client failed, ret = " << ret
+                      << "; expected = " << expectedResult);
+    return buff;
+}
+
+char *sdBusGetUser(SdBusConnectionPtr connection, const char *uniqueName, cynara_user_creds method,
+                   int expectedResult) {
+    char *buff = nullptr;
+    auto ret = cynara_creds_sd_bus_get_user(connection.get(), uniqueName, method, &buff);
+    RUNNER_ASSERT_MSG(ret == expectedResult,
+                      "cynara_creds_sd_bus_get_user failed, ret = " << ret
+                      << "; expected = " << expectedResult);
+    return buff;
+}
+
+pid_t sdBusGetPid(SdBusConnectionPtr connection, const char *uniqueName, int expectedResult) {
+    pid_t pid = -1;
+    auto ret = cynara_creds_sd_bus_get_pid(connection.get(), uniqueName, &pid);
+    RUNNER_ASSERT_MSG(ret == expectedResult, "cynara_creds_sd_bus_get_pid failed, ret = " << ret
+                                             << "; expected = " << expectedResult);
+    return pid;
+}
+
  } //namespace CynaraHelperCredentials
diff --git a/src/common/cynara_helpers_creds.h b/src/common/cynara_helpers_creds.h

index cafe423..4214876 100644 (file)
--- a/src/common/cynara_helpers_creds.h
+++ b/src/common/cynara_helpers_creds.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2015-2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2015-2018 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -61,6 +61,14 @@ char *gdbusGetUser(GDBusConnectionPtr connection, const char *uniqueName, cynara
  
  pid_t gdbusGetPid(GDBusConnectionPtr connection, const char *uniqueName);
  
+char *sdBusGetClient(SdBusConnectionPtr connection, const char *uniqueName,
+                     cynara_client_creds method, int expectedResult);
+
+char *sdBusGetUser(SdBusConnectionPtr connection, const char *uniqueName, cynara_user_creds method,
+                   int expectedResult);
+
+pid_t sdBusGetPid(SdBusConnectionPtr connection, const char *uniqueName, int expectedResult);
+
  } // namespace CynaraHelperCredentials
  
  #endif // CYNARA_TEST_HELPERS_H_
diff --git a/src/common/cynara_helpers_dbus.h b/src/common/cynara_helpers_dbus.h

index 19c1b24..ad3a22d 100644 (file)
--- a/src/common/cynara_helpers_dbus.h
+++ b/src/common/cynara_helpers_dbus.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2015-2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2015-2018 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -25,11 +25,14 @@
  #include <functional>
  #include <gio/gio.h>
  #include <memory>
+#include <systemd/sd-bus.h>
  
  typedef std::function<void(DBusConnection *)> DBusConnectionCloseAndUnref;
  typedef std::function<void(GDBusConnection *)> GDBusConnectionCloseAndUnref;
+typedef std::function<void(sd_bus *)> SdBusConnectionUnref;
  typedef std::unique_ptr<DBusConnection, DBusConnectionCloseAndUnref> DBusConnectionPtr;
  typedef std::unique_ptr<GDBusConnection, GDBusConnectionCloseAndUnref> GDBusConnectionPtr;
+typedef std::unique_ptr<sd_bus, SdBusConnectionUnref> SdBusConnectionPtr;
  
  
  #endif // CYNARA_TEST_HELPERS_DBUS_H_
diff --git a/src/common/label_generator.cpp b/src/common/label_generator.cpp

index 6fc5140..dbd00b5 100644 (file)
--- a/src/common/label_generator.cpp
+++ b/src/common/label_generator.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2017-2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -36,11 +36,6 @@ std::string generatePathROLabel(const std::string &pkgId)
      return generatePathRWLabel(pkgId) + "::RO";
  }
  
-std::string generatePathSharedROLabel(const std::string &pkgId)
-{
-    return generatePathRWLabel(pkgId) + "::SharedRO";
-}
-
  std::string generatePathTrustedLabel(int64_t authorId)
  {
      return "User::Author::" + std::to_string(authorId);
@@ -50,3 +45,8 @@ std::string getPublicPathLabel()
  {
      return "User::Home";
  }
+
+std::string getSharedROPathLabel()
+{
+    return "User::App::Shared";
+}
diff --git a/src/common/label_generator.h b/src/common/label_generator.h

index 8c99ed4..b4af291 100644 (file)
--- a/src/common/label_generator.h
+++ b/src/common/label_generator.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2017-2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -20,6 +20,6 @@
  std::string generateProcessLabel(const std::string &appId, const std::string &pkgId, bool isHybrid = false);
  std::string generatePathRWLabel(const std::string &pkgId);
  std::string generatePathROLabel(const std::string &pkgId);
-std::string generatePathSharedROLabel(const std::string &pkgId);
  std::string generatePathTrustedLabel(int64_t authorId);
  std::string getPublicPathLabel();
+std::string getSharedROPathLabel();
diff --git a/src/common/pkg_privacy_privileges.h b/src/common/pkg_privacy_privileges.h

new file mode 100644 (file)

index 0000000..dfa6db5
--- /dev/null
+++ b/src/common/pkg_privacy_privileges.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#pragma once
+
+#include <string>
+#include <sys/types.h>
+#include <vector>
+
+#include <app_def_privilege.h>
+#include <app_install_helper.h>
+#include <privilege_manager.h>
+#include <memory.h>
+#include <dpl/test/safe_cleanup.h>
+
+class PkgPrivacyPrivileges {
+public:
+    PkgPrivacyPrivileges(const AppInstallHelper &app)
+        : m_pkgId(app.getPkgId()),
+          m_uid(app.getUID()),
+          m_creatorPid(getpid()),
+          m_shouldUnsetPrivacy(false)
+    {
+        std::vector<std::string> privacyPrivileges;
+        for (const Privilege &privilege : app.getPrivileges())
+            if (privilege.isPrivacy())
+                privacyPrivileges.push_back(privilege.getName());
+
+        if (!privacyPrivileges.empty()) {
+            PrivilegeManager::setPrivacyPrivileges(
+                app.getUID(), app.getPkgId(), app.getVersion(), privacyPrivileges);
+            m_shouldUnsetPrivacy = true;
+        }
+    }
+
+    PkgPrivacyPrivileges(const PkgPrivacyPrivileges &) = delete;
+    PkgPrivacyPrivileges(PkgPrivacyPrivileges &&other)
+        : m_pkgId(std::move(other.m_pkgId)),
+          m_uid(other.m_uid),
+          m_shouldUnsetPrivacy(other.m_shouldUnsetPrivacy)
+    {
+        other.m_uid = 0;
+        other.m_shouldUnsetPrivacy = false;
+        other.m_creatorPid = -1;
+    }
+
+    PkgPrivacyPrivileges& operator=(const PkgPrivacyPrivileges &) = delete;
+
+    virtual ~PkgPrivacyPrivileges() {
+        if (m_creatorPid == getpid())
+        {
+            SafeCleanup::run([this]{ unsetPrivacy(); });
+        }
+    }
+
+    void unsetPrivacy() {
+        if (!m_shouldUnsetPrivacy)
+            return;
+        PrivilegeManager::unsetPrivacyPrivileges(m_uid, m_pkgId);
+        m_shouldUnsetPrivacy = false;
+    }
+
+protected:
+    std::string m_pkgId;
+    uid_t m_uid;
+    pid_t m_creatorPid;
+    bool m_shouldUnsetPrivacy;
+};
diff --git a/src/common/privilege_manager.cpp b/src/common/privilege_manager.cpp

new file mode 100644 (file)

index 0000000..01d1f47
--- /dev/null
+++ b/src/common/privilege_manager.cpp
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include <new>
+#include <glib.h>
+#include <gmodule.h>
+
+#include "dpl/test/test_runner.h"
+#include "privilege_manager.h"
+
+namespace PrivilegeManager {
+
+void setPrivacyPrivileges(const uid_t uid, const std::string &pkgId,
+    const std::string &tizenVersion, const std::vector<std::string> &privileges,
+    const privilege_manager_package_type_e &type)
+{
+    GList *list = nullptr;
+
+    for (const std::string &privilege : privileges) {
+        gchar *str = g_strdup(privilege.c_str());
+        if (str == nullptr) {
+            g_list_free_full(list, g_free);
+            throw std::bad_alloc();
+        }
+
+        GList *listNew = g_list_append(list, str);
+        if (listNew == nullptr) {
+            g_list_free_full(list, g_free);
+            throw std::bad_alloc();
+        }
+
+        list = listNew;
+    }
+
+    int ret = privilege_package_info_set_privacy_privilege(uid, pkgId.c_str(),
+        type, tizenVersion.empty() ? "4.0" : tizenVersion.c_str(), list);
+    g_list_free_full(list, g_free);
+
+    RUNNER_ASSERT_MSG(ret == PRVMGR_ERR_NONE,
+        "privilege_package_info_set_privacy_privilege failed: " << ret);
+}
+
+void unsetPrivacyPrivileges(const uid_t uid, const std::string &pkgId)
+{
+    int ret = privilege_package_info_unset_package_privilege_info(
+        uid, pkgId.c_str());
+
+    RUNNER_ASSERT_MSG(ret == PRVMGR_ERR_NONE,
+        "privilege_package_info_unset_privacy_privilege failed: " << ret);
+}
+
+} // namespace PrivilegeManager
diff --git a/src/security-manager-tests/common/scoped_label.h b/src/common/privilege_manager.h

similarity index 55%

rename from src/security-manager-tests/common/scoped_label.h

rename to src/common/privilege_manager.h

index 3436e80..b46414a 100644 (file)
--- a/src/security-manager-tests/common/scoped_label.h
+++ b/src/common/privilege_manager.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2018 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -16,19 +16,16 @@
  
  #pragma once
  
-#include <sys/smack.h>
+#include <string>
+#include <vector>
+#include <privilege_package_info.h>
  
-class ScopedProcessLabel {
-public:
-    ScopedProcessLabel() {
-        smack_new_label_from_self(&label);
-    }
+namespace PrivilegeManager {
  
-    ~ScopedProcessLabel() {
-        smack_set_label_for_self(label);
-        free(label);
-    }
+void setPrivacyPrivileges(const uid_t uid, const std::string &pkgId,
+    const std::string &tizenVersion, const std::vector<std::string> &privileges,
+    const privilege_manager_package_type_e &type = PRVMGR_PACKAGE_TYPE_CORE);
  
-private:
-    char *label;
-};
+void unsetPrivacyPrivileges(const uid_t uid, const std::string &pkgId);
+
+} // namespace PrivilegeManager
diff --git a/src/common/scoped_installer.h b/src/common/scoped_installer.h

index 4a0ff06..82175ce 100644 (file)
--- a/src/common/scoped_installer.h
+++ b/src/common/scoped_installer.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2016-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -36,7 +36,7 @@
  class ScopedInstaller {
  public:
      ScopedInstaller(const AppInstallHelper &app, bool requestUid = true)
-        : m_appId(app.getAppId()),
+        : m_appIds({app.getAppId()}),
            m_uid(app.getUID()),
            m_installType(app.getInstallType()),
            m_shouldUninstall(true),
@@ -70,9 +70,30 @@ public:
          SecurityManagerTest::Api::install(instReq);
      }
  
+    ScopedInstaller(const std::vector<std::string> &appIds, const std::string &pkgId)
+        : m_appIds(appIds),
+          m_uid(0),
+          m_installType(SM_APP_INSTALL_NONE),
+          m_shouldUninstall(true),
+          m_requestUid(false),
+          m_creatorPid(getpid())
+    {
+        SecurityManagerTest::InstallRequest instReq;
+
+        instReq.setPkgId(pkgId);
+        for (unsigned int i = 0; i < appIds.size(); i++) {
+            if (i > 0)
+                instReq.nextApp();
+
+            instReq.setAppId(appIds[i]);
+        }
+
+        SecurityManagerTest::Api::install(instReq);
+    }
+
      ScopedInstaller(const ScopedInstaller &) = delete;
      ScopedInstaller(ScopedInstaller &&other)
-        : m_appId(std::move(other.m_appId)),
+        : m_appIds(std::move(other.m_appIds)),
            m_uid(other.m_uid),
            m_installType(other.m_installType),
            m_shouldUninstall(other.m_shouldUninstall),
@@ -97,7 +118,12 @@ public:
          if (!m_shouldUninstall)
              return;
          SecurityManagerTest::InstallRequest uninstReq;
-        uninstReq.setAppId(m_appId);
+        for (unsigned int i = 0; i < m_appIds.size(); i++) {
+            if (i > 0)
+                uninstReq.nextApp();
+
+            uninstReq.setAppId(m_appIds[i]);
+        }
          if (m_requestUid)
              uninstReq.setUid(m_uid);
          if (m_installType != SM_APP_INSTALL_NONE)
@@ -107,7 +133,7 @@ public:
      }
  
  protected:
-    std::string m_appId;
+    std::vector<std::string> m_appIds;
      uid_t m_uid;
      app_install_type m_installType;
      bool m_shouldUninstall;
diff --git a/src/common/scoped_process_label.cpp b/src/common/scoped_process_label.cpp

new file mode 100644 (file)

index 0000000..aa642fe
--- /dev/null
+++ b/src/common/scoped_process_label.cpp
@@ -0,0 +1,150 @@
+/*
+ *  Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License
+ */
+/*
+ * @file       scoped_process_label.cpp
+ * @author     Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+ * @version    1.0
+ * @brief
+ */
+
+#include <scoped_process_label.h>
+
+#include <stdlib.h>
+#include <sys/smack.h>
+
+#include <utility>
+#include <memory>
+#include <fstream>
+
+#include <dpl/test/test_runner.h>
+
+namespace {
+
+const std::string& getOnlycapPath()
+{
+       static std::string onlycapPath;
+
+       if (onlycapPath.empty()) {
+               const char* smackfs = smack_smackfs_path();
+               if (smackfs != nullptr) {
+                       onlycapPath.assign(smackfs);
+                       onlycapPath.append("/onlycap");
+               }
+       }
+       return onlycapPath;
+}
+
+const char* SEPARATORS = " ";
+
+OnlycapSet smackGetOnlycap()
+{
+       std::ifstream ifs(getOnlycapPath());
+
+       RUNNER_ASSERT_MSG(ifs, "Opening " << getOnlycapPath() << " failed.");
+
+       std::string onlycap((std::istreambuf_iterator<char>(ifs)), std::istreambuf_iterator<char>());
+       ifs.close();
+
+       OnlycapSet onlycapSet;
+
+       size_t first = 0;
+       size_t last = 0;
+       while (last != std::string::npos) {
+               first = onlycap.find_first_not_of(SEPARATORS, last);
+               if (first == std::string::npos)
+                       break;
+
+               last = onlycap.find_first_of(SEPARATORS, first + 1);
+               if (last == std::string::npos)
+                       onlycapSet.insert(onlycap.substr(first));
+               else
+                       onlycapSet.insert(onlycap.substr(first, last - first));
+       }
+       return onlycapSet;
+}
+
+void smackSetOnlycap(const OnlycapSet& onlycapSet)
+{
+       if (onlycapSet.empty()) {
+               int ret = smack_set_onlycap(NULL, 0);
+               RUNNER_ASSERT_MSG(ret == 0, "Error in smack_set_onlycap():" << ret);
+               return;
+       }
+
+       const char* labels[onlycapSet.size()];
+       size_t i = 0;
+       for (const auto& label : onlycapSet) {
+               labels[i] = label.c_str();
+               i++;
+       }
+
+       int ret = smack_set_onlycap(labels, i);
+       RUNNER_ASSERT_MSG(ret == 0, "Error in smack_set_onlycap():" << ret);
+}
+
+void smackSetLabelForSelf(const std::string& label)
+{
+       int ret = smack_set_label_for_self(label.c_str());
+       RUNNER_ASSERT_MSG(ret == 0, "Error in smack_set_label_for_self('" << label << "'): " << ret);
+}
+
+} // namespace anonymous
+
+ScopedProcessLabel::ScopedProcessLabel(std::string label, bool restore) :
+               m_label(std::move(label))
+{
+       if (restore) {
+               // store the current process label
+               char* originalLabel = NULL;
+               ssize_t size = smack_new_label_from_self(&originalLabel);
+               RUNNER_ASSERT_MSG(size > 0 || originalLabel != nullptr,
+                                 "Error in smack_new_label_from_self():" << size);
+
+               std::unique_ptr<char, decltype(&free)> originalLabelPtr(originalLabel, free);
+               m_originalLabel.assign(originalLabel, size);
+
+               m_originalOnlycap = smackGetOnlycap();
+
+               // add new label to onlycap so that it's able to restore the label
+               if (!m_originalOnlycap.empty()
+                       && m_originalOnlycap.find(m_label) == m_originalOnlycap.end()) {
+                       OnlycapSet newOnlycap = m_originalOnlycap;
+                       newOnlycap.insert(m_label);
+                       smackSetOnlycap(newOnlycap);
+               } else {
+                       m_originalOnlycap.clear();
+               }
+       }
+       smackSetLabelForSelf(m_label);
+}
+
+ScopedProcessLabel::~ScopedProcessLabel()
+{
+       // it has to be restored
+       if (!m_originalLabel.empty()) {
+               try {
+                       smackSetLabelForSelf(m_originalLabel);
+                       if (!m_originalOnlycap.empty())
+                               smackSetOnlycap(m_originalOnlycap);
+               } catch (const DPL::Test::TestException& e) {
+                       RUNNER_ERROR_MSG("Test exception occurred: " << e.GetMessage());
+               } catch (const std::exception& e) {
+                       RUNNER_ERROR_MSG("Std exception occurred: " << e.what());
+               } catch (...) {
+                       RUNNER_ERROR_MSG("Unknown exception occurred.");
+               }
+       }
+}
diff --git a/src/common/scoped_process_label.h b/src/common/scoped_process_label.h

new file mode 100644 (file)

index 0000000..5cb0dfc
--- /dev/null
+++ b/src/common/scoped_process_label.h
@@ -0,0 +1,43 @@
+/*
+ *  Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License
+ */
+/*
+ * @file       scoped_process_label.h
+ * @author     Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+ * @version    1.0
+ * @brief
+ */
+
+#pragma once
+
+#include <string>
+#include <unordered_set>
+
+#include <dpl/noncopyable.h>
+
+typedef std::unordered_set<std::string> OnlycapSet;
+
+class ScopedProcessLabel: public DPL::Noncopyable
+{
+public:
+       // if restore == true the original label will be restored
+       explicit ScopedProcessLabel(std::string label, bool restore = true);
+       ~ScopedProcessLabel();
+
+private:
+       std::string m_label;
+       std::string m_originalLabel;
+       OnlycapSet m_originalOnlycap;
+};
diff --git a/src/common/service_manager.cpp b/src/common/service_manager.cpp

index c571d5f..4441ace 100644 (file)
--- a/src/common/service_manager.cpp
+++ b/src/common/service_manager.cpp
@@ -283,10 +283,10 @@ void ServiceManager::executeMethod(const std::string &method, const std::string
  
  void ServiceManager::startService(bool withSockets)
  {
-    executeMethod("StartUnit", m_serviceName);
      if (withSockets)
          for (const auto &socket : m_socketsNames)
              executeMethod("StartUnit", socket);
+    executeMethod("StartUnit", m_serviceName);
  }
  
  void ServiceManager::stopService(bool withSockets)
diff --git a/src/common/sm_api.cpp b/src/common/sm_api.cpp

index d7ab650..4516755 100644 (file)
--- a/src/common/sm_api.cpp
+++ b/src/common/sm_api.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd. All rights reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -14,6 +14,9 @@
   *    limitations under the License.
   */
  
+#include <unistd.h>
+#include <sys/types.h>
+
  #include <sm_api.h>
  
  #include <dpl/test/test_runner.h>
@@ -24,7 +27,38 @@ namespace Api {
  
  void install(const InstallRequest &request, lib_retcode expectedResult)
  {
-    int result = security_manager_app_install(request.get());
+    uid_t uid = getuid();
+    std::string dbPath = uid == 0 ? "/opt/dbspace/" : "/opt/dbspace/user/" + std::to_string(uid) + "/";
+
+    std::ostringstream command;
+    command << "/usr/bin/sqlite3 "
+            << dbPath << ".pkgmgr_parser.db "
+            << " \"insert into package_info (package, package_type, package_api_version,"
+            << " install_location, mainapp_id, root_path, installed_storage)"
+            << " values ('" << request.getPkgId() << "', 'tpk', '" << request.getAppTizenVersion()
+            << "', 'auto', '" << request.getPkgId() << "', '/opt/usr/globallapps/"
+            << request.getPkgId() << "', 'installed_internal')\"";
+    int result = system(command.str().c_str());
+    RUNNER_ASSERT_MSG(result == 0, "failed to set package_info: " << result);
+
+    result = security_manager_app_install(request.get());
+    RUNNER_ASSERT_MSG((lib_retcode)result == expectedResult,
+                      "installing app returned wrong value."
+                          << " InstallRequest: [ " << request << "];"
+                          << " Result: " << result << ";"
+                          << " Expected result: " << expectedResult);
+
+    command = std::ostringstream();
+    command << "/usr/bin/sqlite3 "
+            << dbPath << ".pkgmgr_parser.db "
+            << " \"delete from package_info where package='" << request.getPkgId() << "'\"";
+    result = system(command.str().c_str());
+    RUNNER_ASSERT_MSG(result == 0, "failed to unset package_info: " << result);
+}
+
+void update(const InstallRequest &request, lib_retcode expectedResult)
+{
+    int result = security_manager_app_update(request.get());
      RUNNER_ASSERT_MSG((lib_retcode)result == expectedResult,
                        "installing app returned wrong value."
                            << " InstallRequest: [ " << request << "];"
@@ -89,6 +123,15 @@ void dropProcessPrivileges(lib_retcode expectedResult)
                            << " Expected result: " << expectedResult);
  }
  
+void prepareAppCandidate(lib_retcode expectedResult)
+{
+    int result = security_manager_prepare_app_candidate();
+    RUNNER_ASSERT_MSG((lib_retcode) result == expectedResult,
+                      "preparing app candidate process returned wrong value."
+                          << " Result: " << result << ";"
+                          << " Expected result: " << expectedResult);
+}
+
  void prepareApp(const std::string &appId, lib_retcode expectedResult)
  {
      int result = security_manager_prepare_app(appId.c_str());
@@ -99,6 +142,18 @@ void prepareApp(const std::string &appId, lib_retcode expectedResult)
                            << " Expected result: " << expectedResult);
  }
  
+void cleanupApp(const std::string &appId, uid_t uid, pid_t pid, lib_retcode expectedResult)
+{
+    int result = security_manager_cleanup_app(appId.c_str(), uid, pid);
+    RUNNER_ASSERT_MSG((lib_retcode)result == expectedResult,
+                      "cleanup app returned wrong value."
+                          << " App id: " << appId << ";"
+                          << " user id: " << uid << ";"
+                          << " process id: " << pid << ";"
+                          << " Result: " << result << ";"
+                          << " Expected result: " << expectedResult);
+}
+
  void addUser(const UserRequest &request, lib_retcode expectedResult)
  {
      int result = security_manager_user_add(request.get());
diff --git a/src/common/sm_api.h b/src/common/sm_api.h

index ca1fb6d..a623ab8 100644 (file)
--- a/src/common/sm_api.h
+++ b/src/common/sm_api.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd. All rights reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -30,12 +30,15 @@ namespace SecurityManagerTest {
  namespace Api {
  
  void install(const InstallRequest &request, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
+void update(const InstallRequest &request, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
  void uninstall(const InstallRequest &request, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
  std::string getPkgId(const std::string &appId, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
  void setProcessLabel(const std::string &appId, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
  void setProcessGroups(const std::string &appId, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
  void dropProcessPrivileges(lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
  void prepareApp(const std::string &appId, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
+void prepareAppCandidate(lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
+void cleanupApp(const std::string &appId, uid_t uid, pid_t pid, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
  void addUser(const UserRequest &request, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
  void deleteUser(const UserRequest &request, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
  void sendPolicy(const PolicyRequest &request, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
diff --git a/src/common/sm_request.cpp b/src/common/sm_request.cpp

index 6e06150..b6fa1a1 100644 (file)
--- a/src/common/sm_request.cpp
+++ b/src/common/sm_request.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -70,7 +70,6 @@ void InstallRequest::setAppId(std::string appId, lib_retcode expectedResult)
                            << " App id: " << appId << ";"
                            << " Result: " << result << ";"
                            << " Expected result: " << expectedResult);
-    m_appId = std::move(appId);
  }
  
  void InstallRequest::setPkgId(std::string pkgId, lib_retcode expectedResult)
@@ -167,10 +166,17 @@ void InstallRequest::setHybrid(lib_retcode expectedResult)
                         << " Expected result: " << expectedResult);
  }
  
+void InstallRequest::nextApp(lib_retcode expectedResult)
+{
+    int result = security_manager_app_inst_req_next(m_req);
+    RUNNER_ASSERT_MSG((lib_retcode)result == expectedResult,
+                        "security_manager_app_inst_req_next() returned wrong value."
+                        << " Result: " << result << ";"
+                        << " Expected result: " << expectedResult);
+}
+
  std::ostream& operator<<(std::ostream &os, const InstallRequest &request)
  {
-    if (!request.m_appId.empty())
-        os << "app id: " << request.m_appId << "; ";
      if (!request.m_pkgId.empty())
          os << "pkg id: " << request.m_pkgId << "; ";
      if (!request.m_privileges.empty()) {
diff --git a/src/common/sm_request.h b/src/common/sm_request.h

index 7d74f64..d58d43e 100644 (file)
--- a/src/common/sm_request.h
+++ b/src/common/sm_request.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -42,7 +42,6 @@ public:
      InstallRequest& operator=(const InstallRequest&) = delete;
      InstallRequest(InstallRequest &&other)
          : m_req(std::move(other.m_req)),
-          m_appId(std::move(other.m_appId)),
            m_pkgId(std::move(other.m_pkgId)),
            m_authorId(std::move(other.m_authorId)),
            m_privileges(std::move(other.m_privileges)),
@@ -67,6 +66,8 @@ public:
      void setAuthorId(std::string authorId, lib_retcode expectedResult= SECURITY_MANAGER_SUCCESS);
      void setInstallType(const enum app_install_type &type, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
      void setHybrid(lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
+    void nextApp(lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
+    std::string getPkgId() const { return m_pkgId; }
      std::string getAppTizenVersion() const { return m_tizenVer; }
      app_inst_req *get() { return m_req; }
      const app_inst_req *get() const { return m_req; }
@@ -76,7 +77,6 @@ private:
      app_inst_req *m_req;
  
      std::string m_tizenVer;
-    std::string m_appId;
      std::string m_pkgId;
      std::string m_authorId;
      PrivilegeVector m_privileges;
diff --git a/src/common/synchronization_pipe.cpp b/src/common/synchronization_pipe.cpp

index dcf9d30..8336767 100644 (file)
--- a/src/common/synchronization_pipe.cpp
+++ b/src/common/synchronization_pipe.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2015-2020 Samsung Electronics Co., Ltd. All rights reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@
   * @brief       A crippled abstraction of widely praised, but often misused communication mechanism
   */
  
+#include <poll.h>
  #include <stdexcept>
  #include <unistd.h>
  
@@ -76,15 +77,33 @@ void SynchronizationPipe::claimChildEp() {
  }
  
  void SynchronizationPipe::post() {
-    RUNNER_ASSERT_MSG(m_epClaimed == true, "Endpoint not claimed");
-    auto ret = TEMP_FAILURE_RETRY(write(m_writeEp, "#", 1));
-    RUNNER_ASSERT_ERRNO_MSG(ret > 0, "Write failed ret = " << ret);
+    post("#", 1);
  }
  
  void SynchronizationPipe::wait() {
+    char dummy;
+    wait(&dummy, 1);
+}
+
+void SynchronizationPipe::pollForWait() {
+    RUNNER_ASSERT_MSG(m_epClaimed == true, "Endpoint not claimed");
+
+    pollfd fds[1];
+    fds->fd = m_readEp;
+    fds->events = POLLIN;
+    auto ret = TEMP_FAILURE_RETRY(poll(fds, 1, -1));
+    RUNNER_ASSERT_ERRNO(ret > 0);
+}
+
+void SynchronizationPipe::post(const void *data, size_t size) {
+    RUNNER_ASSERT_MSG(m_epClaimed == true, "Endpoint not claimed");
+    auto ret = TEMP_FAILURE_RETRY(write(m_writeEp, data, size));
+    RUNNER_ASSERT_ERRNO_MSG(ret > 0 && size_t(ret) == size, "Write failed size = " << size << " ret = " << ret);
+}
+
+void SynchronizationPipe::wait(void *data, size_t size) {
      RUNNER_ASSERT_MSG(m_epClaimed == true, "Endpoint not claimed");
  
-    char buf;
-    auto ret = TEMP_FAILURE_RETRY(read(m_readEp, &buf, 1));
-    RUNNER_ASSERT_ERRNO_MSG(ret > 0, "Read failed ret = " << ret);
+    auto ret = TEMP_FAILURE_RETRY(read(m_readEp, data, size));
+    RUNNER_ASSERT_ERRNO_MSG(ret > 0 && size_t(ret) == size, "Read failed size = " << size << " ret = " << ret);
  }
diff --git a/src/common/synchronization_pipe.h b/src/common/synchronization_pipe.h

index e072ca2..099323d 100644 (file)
--- a/src/common/synchronization_pipe.h
+++ b/src/common/synchronization_pipe.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2015-2020 Samsung Electronics Co., Ltd. All rights reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -33,6 +33,10 @@ public:
  
      void post();
      void wait();
+    void pollForWait();
+
+    void post(const void *data, size_t size);
+    void wait(void *data, size_t size);
  
  private:
      int m_pipeCP[2];    // Child -> Parent
diff --git a/src/common/temp_test_user.h b/src/common/temp_test_user.h

index 3a3b6d1..291d506 100644 (file)
--- a/src/common/temp_test_user.h
+++ b/src/common/temp_test_user.h
@@ -34,8 +34,7 @@ public:
              m_offline(offline),
              m_creatorPid(getpid())
              {};
-    // TODO - copy constructor should be deleted
-    TemporaryTestUser(const TemporaryTestUser &) = default;
+    TemporaryTestUser(const TemporaryTestUser &) = delete;
      TemporaryTestUser(TemporaryTestUser &&other);
      TemporaryTestUser& operator=(const TemporaryTestUser &) = delete;
      ~TemporaryTestUser();
diff --git a/src/common/tests_common.cpp b/src/common/tests_common.cpp

index b5dff60..235b062 100644 (file)
--- a/src/common/tests_common.cpp
+++ b/src/common/tests_common.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2013-2015 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -65,12 +65,6 @@ int drop_root_privileges(uid_t appUid, gid_t appGid)
      return 1;
  }
  
-void setLabelForSelf(const int line, const char *label)
-{
-    int ret = smack_set_label_for_self(label);
-    RUNNER_ASSERT_MSG(ret == 0, "Error in smack_set_label_for_self(): " << ret << ", line: " << line);
-}
-
  /*
   * Add a new group to the current process groups.
   */
@@ -240,12 +234,6 @@ void waitPid(pid_t pid)
          "Child process exited abnormally" <<
          ": ret=" << ret << ", errno=" << errno << ", status=" << status);
  }
-// changes process label
-void change_label(const char* label)
-{
-    int ret = smack_set_label_for_self(label);
-    RUNNER_ASSERT_MSG(0 == ret, "Error in smack_set_label_for_self("<<label<<"). Error: " << ret);
-}
  
  pid_t runInChild(const std::function<void(void)> &process) {
      pid_t pid = fork();
diff --git a/src/common/tests_common.h b/src/common/tests_common.h

index 3e829f1..bfb46d9 100644 (file)
--- a/src/common/tests_common.h
+++ b/src/common/tests_common.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2013-2015 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2013 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -38,7 +38,7 @@
  #include <string.h>
  
  const uid_t APP_UID     = 5001;
-const gid_t APP_GID     = 5001;
+const gid_t APP_GID     = 100;
  const uid_t APP_UID_2   = 5200;
  const gid_t APP_GID_2   = 5200;
  const uid_t DB_ALARM_UID = 6001;
@@ -47,7 +47,6 @@ const std::string TMP_DIR("/tmp");
  
  bool smack_check(void);
  int drop_root_privileges(uid_t appUid = APP_UID, gid_t appGid = APP_GID);
-void setLabelForSelf(const int line, const char *label);
  void add_process_group(const char* group_name);
  void remove_process_group(const char* group_name);
  std::string formatCstr(const char *cstr);
@@ -58,7 +57,6 @@ void creatSafe(const std::string &path, mode_t mode);
  void symlinkSafe(const std::string &targetPath, const std::string &linkPath);
  void removeDir(const std::string &path);
  void waitPid(pid_t pid);
-void change_label(const char* label);
  
  pid_t runInChild(const std::function<void(void)> &process);
  void runInChildParentWait(const std::function<void(void)> &process);
diff --git a/src/cynara-tests/CMakeLists.txt b/src/cynara-tests/CMakeLists.txt

index 86c578f..bf592b4 100644 (file)
--- a/src/cynara-tests/CMakeLists.txt
+++ b/src/cynara-tests/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
+# Copyright (c) 2014-2018 Samsung Electronics Co., Ltd All Rights Reserved
  #
  #    Licensed under the Apache License, Version 2.0 (the "License");
  #    you may not use this file except in compliance with the License.
@@ -26,11 +26,14 @@ PKG_CHECK_MODULES(CYNARA_TARGET_DEP
      cynara-client-async
      cynara-creds-dbus
      cynara-creds-gdbus
+    cynara-creds-sd-bus
      cynara-creds-self
      cynara-creds-socket
+    cynara-monitor
      cynara-plugin
      dbus-1
      glib-2.0
+    libsystemd
      )
  FIND_PACKAGE (Threads)
  
@@ -48,6 +51,7 @@ SET(CYNARA_TARGET_TEST_SOURCES
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_cynara_mask.cpp
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_env.cpp
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_file_operations.cpp
+    ${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_monitor.cpp
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/plugins/plugins.cpp
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/cynara-test.cpp
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/test_cases.cpp
@@ -55,6 +59,7 @@ SET(CYNARA_TARGET_TEST_SOURCES
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/test_cases_async.cpp
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/test_cases_db.cpp
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/test_cases_helpers.cpp
+    ${PROJECT_SOURCE_DIR}/src/cynara-tests/test_cases_monitor.cpp
      )
  
  #header directories
diff --git a/src/cynara-tests/common/cynara_test_agent.cpp b/src/cynara-tests/common/cynara_test_agent.cpp

index e2f408d..48a386c 100644 (file)
--- a/src/cynara-tests/common/cynara_test_agent.cpp
+++ b/src/cynara-tests/common/cynara_test_agent.cpp
@@ -75,4 +75,11 @@ void Agent::putResponse(const AgentResponse &response, int expectedResult)
                           << "response = " << response);
  }
  
+void Agent::cancelWaiting(int expectedResult) {
+    int ret = cynara_agent_cancel_waiting(m_agent);
+    RUNNER_ASSERT_MSG(ret == expectedResult,
+                      "cynara_agent_cancel_waiting returned wrong value: "
+                         << ret << " != " << expectedResult << ".");
+}
+
  } // namespace CynaraTestAgent
diff --git a/src/cynara-tests/common/cynara_test_agent.h b/src/cynara-tests/common/cynara_test_agent.h

index f224fa1..ae667a9 100644 (file)
--- a/src/cynara-tests/common/cynara_test_agent.h
+++ b/src/cynara-tests/common/cynara_test_agent.h
@@ -32,6 +32,7 @@ public:
  
      void getRequest(AgentRequest &request, int expectedResult = CYNARA_API_SUCCESS);
      void putResponse(const AgentResponse &response, int expectedResult = CYNARA_API_SUCCESS);
+    void cancelWaiting(int expectedResult = CYNARA_API_SUCCESS);
  
  private:
      struct cynara_agent *m_agent;
diff --git a/src/cynara-tests/common/cynara_test_client.cpp b/src/cynara-tests/common/cynara_test_client.cpp

index 373130e..357b66a 100644 (file)
--- a/src/cynara-tests/common/cynara_test_client.cpp
+++ b/src/cynara-tests/common/cynara_test_client.cpp
@@ -33,19 +33,24 @@ Client::~Client()
  {
      cynara_finish(m_cynara);
  }
+void Client::check(const char *client, const char *session, const char *user,
+                   const char *privilege, int expectedResult)
+{
+    int ret = cynara_check(m_cynara, client, session, user, privilege);
+    RUNNER_ASSERT_MSG(ret == expectedResult,
+                         "cynara_check returned wrong value: "
+                             << ret << " != " << expectedResult << "."
+                             << " client: " << formatCstr(client) << ","
+                             << " session: " << formatCstr(session) << ","
+                             << " user: " << formatCstr(user) << ","
+                             << " privilege: " << formatCstr(privilege));
+}
  
  void Client::check(const std::string &client, const std::string &session,
                     const std::string &user, const std::string &privilege,
                     int expectedResult)
  {
-    int ret = cynara_check(m_cynara, client.c_str(), session.c_str(), user.c_str(), privilege.c_str());
-    RUNNER_ASSERT_MSG(ret == expectedResult,
-                         "cynara_check returned wrong value: "
-                             << ret << " != " << expectedResult << "."
-                             << " client: " << formatCstr(client.c_str()) << ","
-                             << " session: " << formatCstr(session.c_str()) << ","
-                             << " user: " << formatCstr(user.c_str()) << ","
-                             << " privilege: " << formatCstr(privilege.c_str()));
+    check(client.c_str(), session.c_str(), user.c_str(), privilege.c_str(), expectedResult);
  }
  
  } //namespace CynaraTestClient
diff --git a/src/cynara-tests/common/cynara_test_client.h b/src/cynara-tests/common/cynara_test_client.h

index 5e055d1..53687be 100644 (file)
--- a/src/cynara-tests/common/cynara_test_client.h
+++ b/src/cynara-tests/common/cynara_test_client.h
@@ -29,10 +29,11 @@ public:
      Client();
      virtual ~Client();
  
+    void check(const char *client, const char *session, const char *user, const char *privilege,
+               int expectedResult = CYNARA_API_ACCESS_ALLOWED);
      void check(const std::string &client, const std::string &session,
                 const std::string &user, const std::string &privilege,
                 int expectedResult = CYNARA_API_ACCESS_ALLOWED);
-
  private:
      struct cynara *m_cynara;
  };
diff --git a/src/cynara-tests/common/cynara_test_client_async_client.cpp b/src/cynara-tests/common/cynara_test_client_async_client.cpp

index 57fc289..21c9460 100644 (file)
--- a/src/cynara-tests/common/cynara_test_client_async_client.cpp
+++ b/src/cynara-tests/common/cynara_test_client_async_client.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2020 Samsung Electronics Co., Ltd. All rights reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -137,6 +137,9 @@ void Client::process(int expectedResult,
      tv.tv_sec = timeoutSeconds;
      tv.tv_usec = 0;
  
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wrestrict"
+
      int ret;
      if (m_statusMonitor.getStatus() == READ)
          ret = TEMP_FAILURE_RETRY(select(fd + 1, &fds, NULL, NULL, &tv));
@@ -149,6 +152,7 @@ void Client::process(int expectedResult,
                               << " ret = " << ret);
          return;
      }
+#pragma GCC diagnostic push
      RUNNER_ASSERT_ERRNO_MSG(ret > 0,
                                 "Select returned error:"
                                 << " ret = " << ret);
diff --git a/src/cynara-tests/common/cynara_test_env.cpp b/src/cynara-tests/common/cynara_test_env.cpp

index 4af7659..7b9a1a9 100644 (file)
--- a/src/cynara-tests/common/cynara_test_env.cpp
+++ b/src/cynara-tests/common/cynara_test_env.cpp
@@ -21,6 +21,8 @@
  
  #include <cynara_test_env.h>
  
+#include <sys/mount.h>
+
  using namespace FileOperations;
  
  CynaraTestEnv::CynaraTestEnv()
@@ -36,25 +38,26 @@ void CynaraTestEnv::init(const std::string &testName)
  {
      m_saveDir = TMP_DIR + "/" + testName;
      m_dbSaveDir = m_saveDir + "/db";
-    m_pluginsSaveDir = m_saveDir + "/plugins";
      m_defaultDir = "/etc/security-tests/db_patterns/default";
+    m_pluginsToInstallDir = "/opt/plugins_to_install";
  
      CynaraMask mask;
  
      removeDirFiles(m_dbSaveDir);
      removeDirIfExists(m_dbSaveDir);
-    removeDirFiles(m_pluginsSaveDir);
-    removeDirIfExists(m_pluginsSaveDir);
      removeDirIfExists(m_saveDir);
  
      makeDir(m_saveDir);
+    makeDir(m_pluginsToInstallDir);
+
+    int res = mount(m_pluginsToInstallDir.c_str(), CynaraTestConsts::SERVICE_PLUGINS_DIR.c_str(), NULL, MS_BIND, NULL);
+    RUNNER_ASSERT_ERRNO_MSG(res == 0, "Bind mount failed");
+
      m_dbPresent = dirExists(CynaraTestConsts::DB_DIR);
      if (m_dbPresent) {
          makeDir(m_dbSaveDir);
          copyCynaraFiles(CynaraTestConsts::DB_DIR, m_dbSaveDir);
      }
-    makeDir(m_pluginsSaveDir);
-    copyCynaraFiles(CynaraTestConsts::SERVICE_PLUGINS_DIR, m_pluginsSaveDir);
      unmaskedLoadDefaultDatabase();
  }
  
@@ -68,14 +71,14 @@ void CynaraTestEnv::finish()
      else
          removeDirIfExists(CynaraTestConsts::DB_DIR);
  
-    removeDirFiles(CynaraTestConsts::SERVICE_PLUGINS_DIR);
-    copyCynaraFiles(m_pluginsSaveDir, CynaraTestConsts::SERVICE_PLUGINS_DIR);
+    int res = umount(CynaraTestConsts::SERVICE_PLUGINS_DIR.c_str());
+    RUNNER_ASSERT_ERRNO_MSG(res == 0, "Unmounting failed");
  
      removeDirFiles(m_dbSaveDir);
      removeDirIfExists(m_dbSaveDir);
-    removeDirFiles(m_pluginsSaveDir);
-    removeDirIfExists(m_pluginsSaveDir);
      removeDirIfExists(m_saveDir);
+    removeDirFiles(m_pluginsToInstallDir);
+    removeDirIfExists(m_pluginsToInstallDir);
  }
  
  void CynaraTestEnv::unmaskedLoadDefaultDatabase()
diff --git a/src/cynara-tests/common/cynara_test_env.h b/src/cynara-tests/common/cynara_test_env.h

index 387d6ba..a3bb18c 100644 (file)
--- a/src/cynara-tests/common/cynara_test_env.h
+++ b/src/cynara-tests/common/cynara_test_env.h
@@ -32,8 +32,8 @@ private:
      void unmaskedLoadDefaultDatabase();
      std::string m_saveDir;
      std::string m_dbSaveDir;
-    std::string m_pluginsSaveDir;
      std::string m_defaultDir;
+    std::string m_pluginsToInstallDir;
      bool m_dbPresent;
  };
  
diff --git a/src/cynara-tests/common/cynara_test_monitor.cpp b/src/cynara-tests/common/cynara_test_monitor.cpp

new file mode 100644 (file)

index 0000000..f01df58
--- /dev/null
+++ b/src/cynara-tests/common/cynara_test_monitor.cpp
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include <cynara_test_monitor.h>
+
+#include <tests_common.h>
+
+namespace CynaraTestMonitor {
+
+MonitorEntries::MonitorEntries(cynara_monitor_entry **entries)
+    : m_entries(entries)
+{
+}
+
+MonitorEntries::~MonitorEntries()
+{
+    cynara_monitor_entries_free(m_entries);
+}
+
+size_t MonitorEntries::count()
+{
+    size_t count = 0;
+
+    while (m_entries[count]) {
+        ++count;
+    }
+
+    return count;
+}
+
+const MonitorEntries& MonitorEntries::operator=(cynara_monitor_entry **other)
+{
+    m_entries = other;
+
+    return *this;
+}
+
+const cynara_monitor_entry* MonitorEntries::operator[](size_t i) const
+{
+    return m_entries[i];
+}
+
+Monitor::Monitor(size_t entries)
+    : m_monitor(nullptr)
+{
+    int ret;
+    struct cynara_monitor_configuration *cfg = nullptr;
+
+    if (entries > 0) {
+        ret = cynara_monitor_configuration_create(&cfg);
+        RUNNER_ASSERT_MSG(ret == CYNARA_API_SUCCESS,
+                          "cynara_monitor_configuration_create failed. "
+                          "ret: " << ret);
+        RUNNER_ASSERT_MSG(cfg != nullptr, "cynara_monitor_configuration struct "
+                          "was not initialized");
+
+        ret = cynara_monitor_configuration_set_buffer_size(cfg, entries);
+        RUNNER_ASSERT_MSG(ret ==  CYNARA_API_SUCCESS,
+                          "cynara_monitor_configuration_set_buffer_size failed. "
+                          "ret: " << ret);
+    }
+
+    ret = cynara_monitor_initialize(&m_monitor, cfg);
+    RUNNER_ASSERT_MSG(ret == CYNARA_API_SUCCESS,
+                      "cynara_monitor_initialize failed. ret: " << ret);
+    RUNNER_ASSERT_MSG(m_monitor != nullptr, "cynara_monitor struct was not initialized");
+}
+
+Monitor::~Monitor()
+{
+    cynara_monitor_finish(m_monitor);
+}
+
+cynara_monitor_entry** Monitor::get()
+{
+    struct cynara_monitor_entry **entries;
+    int ret = cynara_monitor_entries_get(m_monitor, &entries);
+    RUNNER_ASSERT_MSG(ret == CYNARA_API_SUCCESS,
+                      "cynara_monitor_entries_get failed. ret: " << ret);
+    RUNNER_ASSERT_MSG(entries != nullptr, "cynara_monitor_entry table was not initialized");
+
+    return entries;
+}
+
+void Monitor::flush()
+{
+    cynara_monitor_entries_flush(m_monitor);
+}
+
+} //namespace CynaraTestMonitor
diff --git a/src/cynara-tests/common/cynara_test_monitor.h b/src/cynara-tests/common/cynara_test_monitor.h

new file mode 100644 (file)

index 0000000..55cbeaf
--- /dev/null
+++ b/src/cynara-tests/common/cynara_test_monitor.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#ifndef CYNARA_TEST_MONITOR_H
+#define CYNARA_TEST_MONITOR_H
+
+#include <cynara-monitor.h>
+
+namespace CynaraTestMonitor {
+
+class MonitorEntries
+{
+public:
+    MonitorEntries(cynara_monitor_entry **entries = NULL);
+    MonitorEntries(const MonitorEntries& that) = delete;
+    virtual ~MonitorEntries();
+
+    const MonitorEntries& operator=(const MonitorEntries &other) = delete;
+    const MonitorEntries& operator=(cynara_monitor_entry **other);
+    const cynara_monitor_entry* operator[](size_t i) const;
+
+    size_t count();
+
+private:
+    cynara_monitor_entry **m_entries;
+};
+
+class Monitor
+{
+public:
+    Monitor(size_t entries = 0);
+    Monitor(const Monitor &that) = delete;
+    virtual ~Monitor();
+
+    const Monitor& operator=(const Monitor &other) = delete;
+
+    cynara_monitor_entry** get();
+    void flush();
+
+private:
+    cynara_monitor *m_monitor;
+};
+
+} //namespace CynaraTestMonitor
+
+#endif // CYNARA_TEST_MONITOR_H
diff --git a/src/cynara-tests/test_cases_agent.cpp b/src/cynara-tests/test_cases_agent.cpp

index 6d90e67..dc3a675 100644 (file)
--- a/src/cynara-tests/test_cases_agent.cpp
+++ b/src/cynara-tests/test_cases_agent.cpp
@@ -460,6 +460,23 @@ void tcag15_agent_disconnects_func()
      client.process(CYNARA_API_SUCCESS, Client::TimeoutExpectation::EXPECT_NO_TIMEOUT, 2);
  }
  
+void tcag16_agent_cancel_waiting_func()
+{
+    Agent agent;
+    AgentRequest request;
+
+    auto testTimeLimit = std::chrono::seconds(2);
+    auto cancelRequest = [&agent]() {
+        agent.cancelWaiting();
+    };
+    auto hangOnGetRequest = [&agent, &request]() {
+        agent.getRequest(request, CYNARA_API_INTERRUPTED);
+    };
+
+    Timeout::callAndWait(testTimeLimit, Timeout::ExpectMode::TIMEOUT,
+                         cancelRequest, hangOnGetRequest);
+}
+
  RUNNER_TEST_GROUP_INIT(cynara_agent_tests)
  
  RUN_CYNARA_TEST(tcag01_set_agent_type_policy_without_plugin)
@@ -477,3 +494,4 @@ RUN_CYNARA_TEST(tcag12_create_two_requests)
  RUN_CYNARA_TEST(tcag13_create_many_requests)
  RUN_CYNARA_TEST(tcag14_client_disconnects)
  RUN_CYNARA_TEST(tcag15_agent_disconnects)
+RUN_CYNARA_TEST(tcag16_agent_cancel_waiting)
diff --git a/src/cynara-tests/test_cases_helpers.cpp b/src/cynara-tests/test_cases_helpers.cpp

index 33481a6..b8d7f13 100644 (file)
--- a/src/cynara-tests/test_cases_helpers.cpp
+++ b/src/cynara-tests/test_cases_helpers.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2015-2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2015-2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@
  #include <dbus/dbus.h>
  #include <glib-object.h>
  #include <gio/gio.h>
+#include <systemd/sd-bus.h>
  
  #include <tests_common.h>
  #include <access_provider.h>
@@ -45,6 +46,7 @@
  
  #include <cynara-creds-gdbus.h>
  #include <cynara-creds-self.h>
+#include <scoped_process_label.h>
  
  class ProcessCredentials {
  public:
@@ -525,6 +527,158 @@ RUNNER_MULTIPROCESS_TEST(tccgd06_gdbus_credentials_pid) {
      }, "tccgd06");
  }
  
+
+SdBusConnectionPtr createSdBusConnection(const std::string &requestedName) {
+    sd_bus *bus = NULL;
+
+    int r = sd_bus_default_system(&bus);
+    RUNNER_ASSERT_MSG(r >= 0, "Failed to connect do system bus: %s" << strerror(-r));
+
+    if (requestedName.empty() == false) {
+        r = sd_bus_request_name(bus, requestedName.c_str(), SD_BUS_NAME_REPLACE_EXISTING);
+        RUNNER_ASSERT_MSG(r >= 0, "Error in sd_bus_request_name");
+    }
+
+    SdBusConnectionPtr ret(bus, [] (sd_bus *busConnection) {
+        sd_bus_unref(busConnection);
+    });
+
+    return ret;
+}
+
+typedef std::function<void(SdBusConnectionPtr conn, pid_t pid, const std::string &requestedName,
+                           const ProcessCredentials &peerCredentials)> SdBusAssertionFn;
+
+void sdBusTestTemplate(SdBusAssertionFn assertion) {
+    std::string requestedName = "tests.dbus.cynara";
+    const ProcessCredentials peerCredentials;
+
+    SynchronizationPipe pipe;
+    pid_t pid = runInChild(std::bind(dbusServer, std::ref(pipe), std::cref(requestedName),
+                           std::cref(peerCredentials)));
+
+    pipe.claimParentEp();
+    pipe.wait();
+
+    auto conn = createSdBusConnection("");
+    assertion(std::move(conn), pid, requestedName, peerCredentials);
+    pipe.post();
+}
+
+
+RUNNER_TEST_GROUP_INIT(cynara_creds_sd_bus)
+
+void testSdBusClientPid(cynara_client_creds method = CLIENT_METHOD_PID) {
+    sdBusTestTemplate([method] (SdBusConnectionPtr conn, pid_t pid,
+                        const std::string &requestedName,
+                        const ProcessCredentials &) {
+        CStringPtr clientPidStr(CynaraHelperCredentials::sdBusGetClient(std::move(conn),
+                                requestedName.c_str(), method, CYNARA_API_SUCCESS));
+        pid_t clientPid = std::stoi(clientPidStr.get());
+        RUNNER_ASSERT_MSG(pid == clientPid, "PIDs don't match ret = " << clientPid
+                          << "; expected = " << pid);
+    });
+}
+
+void testSdBusClientSmack(cynara_client_creds method = CLIENT_METHOD_SMACK) {
+    sdBusTestTemplate([method] (SdBusConnectionPtr conn, pid_t,
+                        const std::string &requestedName,
+                        const ProcessCredentials &peerCredentials) {
+        CStringPtr label(CynaraHelperCredentials::sdBusGetClient(std::move(conn),
+                         requestedName.c_str(), method, CYNARA_API_SUCCESS));
+        RUNNER_ASSERT_MSG(peerCredentials.label() == label.get(),
+                          "Labels don't match ret = " << label.get()
+                          << "; expected = " << peerCredentials.label());
+    });
+}
+
+RUNNER_MULTIPROCESS_TEST(tccsd01_sd_bus_credentials_client_pid)
+{
+    testSdBusClientPid();
+}
+
+RUNNER_MULTIPROCESS_TEST_SMACK(tccsd02_sd_bus_credentials_client_smack)
+{
+    testSdBusClientSmack();
+}
+
+RUNNER_MULTIPROCESS_TEST_SMACK(tccsd03_sd_bus_credentials_client_default)
+{
+    auto method = getClientDefaultMethod();
+    switch(method) {
+    case CLIENT_METHOD_SMACK:
+        testSdBusClientSmack(CLIENT_METHOD_DEFAULT);
+        break;
+    case CLIENT_METHOD_PID:
+        testSdBusClientPid(CLIENT_METHOD_DEFAULT);
+        break;
+    default:
+        RUNNER_FAIL_MSG("cynara_creds_get_default_client_method returned unexpected value "
+                        << method);
+    }
+}
+
+void testSdBusUserUid(cynara_user_creds method = USER_METHOD_UID) {
+    sdBusTestTemplate([method] (SdBusConnectionPtr conn, pid_t,
+                        const std::string &requestedName,
+                        const ProcessCredentials &peerCredentials) {
+        CStringPtr uidStr(CynaraHelperCredentials::sdBusGetUser(std::move(conn),
+                          requestedName.c_str(), method, CYNARA_API_SUCCESS));
+        uid_t uid = std::stoul(uidStr.get());
+        RUNNER_ASSERT_MSG(peerCredentials.uid() == uid, "UIDs don't match ret = " << uid
+                          << "; expected = "<< peerCredentials.uid());
+    });
+}
+
+void testSdBusUserGid(cynara_user_creds method = USER_METHOD_GID) {
+    sdBusTestTemplate([method] (SdBusConnectionPtr conn, pid_t,
+                        const std::string &requestedName,
+                        const ProcessCredentials &peerCredentials) {
+        CStringPtr gidStr(CynaraHelperCredentials::sdBusGetUser(std::move(conn),
+                          requestedName.c_str(), method, CYNARA_API_SUCCESS));
+        gid_t gid = std::stoul(gidStr.get());
+        RUNNER_ASSERT_MSG(peerCredentials.gid() == gid, "GIDs don't match ret = " << gid
+                          << "; expected = "<< peerCredentials.gid());
+    });
+}
+
+RUNNER_MULTIPROCESS_TEST(tccsd04_sd_bus_credentials_user_uid)
+{
+    testSdBusUserUid();
+}
+
+RUNNER_MULTIPROCESS_TEST(tccsd05_sd_bus_credentials_user_gid)
+{
+    testSdBusUserGid();
+}
+
+RUNNER_MULTIPROCESS_TEST(tccsd06_sd_bus_credentials_user_default)
+{
+    auto method = getUserDefaultMethod();
+    switch(method) {
+    case USER_METHOD_UID:
+        testSdBusUserUid(USER_METHOD_DEFAULT);
+        break;
+    case USER_METHOD_GID:
+        testSdBusUserGid(USER_METHOD_DEFAULT);
+        break;
+    default:
+        RUNNER_FAIL_MSG("cynara_creds_get_default_user_method returned unexpected value "
+                        << method);
+    }
+}
+
+RUNNER_TEST_SMACK(tccd07_sd_bus_credentials_pid) {
+    sdBusTestTemplate([] (SdBusConnectionPtr conn, pid_t expectedPid,
+                          const std::string &requestedName, const ProcessCredentials &) {
+        auto helperPid = CynaraHelperCredentials::sdBusGetPid(std::move(conn),
+                         requestedName.c_str(), CYNARA_API_SUCCESS);
+        RUNNER_ASSERT_MSG(helperPid == expectedPid, "PIDs don't match ret = " << helperPid
+                          << "; expected = " << expectedPid);
+    });
+}
+
+
  RUNNER_TEST_GROUP_INIT(cynara_creds_self)
  
  void testCredsClientSelf(cynara_client_creds method, const std::string &expected) {
@@ -547,7 +701,7 @@ void testCredsUserSelf(cynara_user_creds method, const std::string &expected) {
  
  void testSelfClientSmack(cynara_client_creds method = CLIENT_METHOD_SMACK) {
      std::string label = "test-label";
-    change_label(label.c_str());
+    ScopedProcessLabel spl(label, false);
      testCredsClientSelf(method, label);
  }
  
diff --git a/src/cynara-tests/test_cases_monitor.cpp b/src/cynara-tests/test_cases_monitor.cpp

new file mode 100644 (file)

index 0000000..2cf2898
--- /dev/null
+++ b/src/cynara-tests/test_cases_monitor.cpp
@@ -0,0 +1,231 @@
+/*
+ * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+/**
+ * @file        test_cases_monitor.cpp
+ * @author      Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
+ * @version     1.0
+ * @brief       Tests for libcynara-monitor
+ */
+
+#include <cynara-error.h>
+#include <cynara-client.h>
+#include <cynara-monitor.h>
+
+#include <dpl/test/test_runner.h>
+#include <cynara_test_commons.h>
+#include <cynara_test_client.h>
+#include <cynara_test_monitor.h>
+#include <timeout.h>
+
+using namespace CynaraTestClient;
+using namespace CynaraTestMonitor;
+
+namespace {
+
+inline void assertResult(int ret, int expectedResult)
+{
+    RUNNER_ASSERT_MSG(ret == expectedResult,"Expected result: " << expectedResult
+                      << ", got: " << ret);
+}
+
+void clientChecks(size_t num, size_t start = 0)
+{
+    Client cynaraClient;
+
+    for (size_t i = 0; i < num; ++i) {
+        std::string index = std::to_string(i + start);
+        std::string client = "client" + index;
+        std::string session = "session" + index;
+        std::string user = "user" + index;
+        std::string privilege = "privilege" + index;
+
+        cynaraClient.check(client.c_str(), session.c_str(), user.c_str(),
+                           privilege.c_str(), CYNARA_API_ACCESS_DENIED);
+    }
+}
+
+bool validateEntries(const MonitorEntries &entries, size_t num, size_t start = 0)
+{
+    for (size_t i = 0; i < num; ++i) {
+        std::string index = std::to_string(i + start);
+        std::string client = "client" + index;
+        std::string user = "user" + index;
+        std::string privilege = "privilege" + index;
+
+        if (client != std::string(cynara_monitor_entry_get_client(entries[i])) ||
+            user != std::string(cynara_monitor_entry_get_user(entries[i])) ||
+            privilege != std::string(cynara_monitor_entry_get_privilege(entries[i]))) {
+            return false;
+        }
+    }
+
+    return true;
+}
+
+} // namespace
+
+void tcm01_config_invalid_param_func()
+{
+    int ret = cynara_monitor_configuration_create(nullptr);
+    assertResult(ret, CYNARA_API_INVALID_PARAM);
+}
+
+void tcm02_config_buffer_oversize_func()
+{
+    int ret;
+    struct cynara_monitor_configuration *cfg;
+
+    ret = cynara_monitor_configuration_create(&cfg);
+    assertResult(ret, CYNARA_API_SUCCESS);
+
+    ret = cynara_monitor_configuration_set_buffer_size(cfg, CYNARA_MAX_MONITOR_BUFFER_SIZE);
+    assertResult(ret, CYNARA_API_SUCCESS);
+
+    ret = cynara_monitor_configuration_set_buffer_size(cfg, CYNARA_MAX_MONITOR_BUFFER_SIZE + 1);
+    assertResult(ret, CYNARA_API_INVALID_PARAM);
+}
+
+void tcm03_init_invalid_param_func()
+{
+    int ret = cynara_monitor_initialize(nullptr, nullptr);
+    assertResult(ret, CYNARA_API_INVALID_PARAM);
+}
+
+void tcm04_entries_get_flush_no_entries_func()
+{
+    auto timeLimit = std::chrono::milliseconds(10);
+    Monitor monitor(100);
+    MonitorEntries entries;
+
+    auto getMonitorEntries = [&monitor, &entries]() {
+        entries = monitor.get();
+    };
+
+    auto flush = [&monitor]() {
+        monitor.flush();
+    };
+
+    Timeout::callAndWait(timeLimit, Timeout::ExpectMode::TIMEOUT,
+                         flush, getMonitorEntries);
+
+    // TODO: system's cynara checks might increase this number
+    if (entries.count() != 0)
+        RUNNER_IGNORED_MSG("no entries should've been returned");
+}
+
+void tcm05_entries_get_no_flush_func()
+{
+    auto timeLimit = std::chrono::milliseconds(10);
+    Monitor monitor(100);
+    MonitorEntries entries;
+
+    auto getMonitorEntries = [&monitor, &entries]() {
+        entries = monitor.get();
+    };
+
+    auto client = [&monitor]() {
+        clientChecks(100);
+    };
+
+    Timeout::callAndWait(timeLimit, Timeout::ExpectMode::TIMEOUT,
+                         client, getMonitorEntries);
+
+    RUNNER_ASSERT_MSG(entries.count() == 100, "100 entries should've been returned");
+
+    // TODO: system's cynara checks might cause the entries to differ
+    if (!validateEntries(entries, 100))
+        RUNNER_IGNORED_MSG("Entries received from monitor are not as expected");
+}
+
+void tcm06_entries_get_flush_func()
+{
+    auto getLimit = std::chrono::milliseconds(10);
+    Monitor monitor(200);
+    MonitorEntries entries;
+
+    auto getMonitorEntries = [&monitor, &entries]() {
+        entries = monitor.get();
+    };
+
+    auto clientAndFlush = [&monitor]() {
+        clientChecks(10);
+        monitor.flush();
+    };
+
+    Timeout::callAndWait(getLimit, Timeout::ExpectMode::TIMEOUT,
+                         clientAndFlush, getMonitorEntries);
+
+    // TODO: system's cynara checks might increase this number
+    if (entries.count() != 10)
+        RUNNER_IGNORED_MSG("10 entries should've been returned");
+
+    // TODO: system's cynara checks might cause the entries to differ
+    if (!validateEntries(entries, 10))
+        RUNNER_IGNORED_MSG("Entries received from monitor are not as expected");
+}
+
+void tcm07_entries_get_two_func()
+{
+    auto get1Limit = std::chrono::milliseconds(10);
+    Monitor monitor1(200);
+    Monitor monitor2(100);
+    MonitorEntries entries1;
+    MonitorEntries entries2;
+
+    auto getMonitor1Entries = [&monitor1, &entries1]() {
+        entries1 = monitor1.get();
+    };
+
+    auto clientAndGetMonitor2Entries = [&monitor2, &entries2]() {
+        auto get2Limit = std::chrono::milliseconds(10);
+
+        clientChecks(100);
+
+        auto getMonitor2Entries = [&monitor2, &entries2]() {
+            entries2 = monitor2.get();
+        };
+
+        auto client = []() {
+            clientChecks(100, 100);
+        };
+
+        Timeout::callAndWait(get2Limit, Timeout::ExpectMode::TIMEOUT,
+                             client, getMonitor2Entries);
+    };
+
+    Timeout::callAndWait(get1Limit, Timeout::ExpectMode::TIMEOUT,
+                         clientAndGetMonitor2Entries, getMonitor1Entries);
+
+    RUNNER_ASSERT_MSG(entries1.count() == 200, "200 entries should've been returned by the first monitor");
+    RUNNER_ASSERT_MSG(entries2.count() == 100, "100 entries should've been returned by the second monitor");
+
+    // TODO: system's cynara checks might cause the entries to differ
+    if (!validateEntries(entries1, 200))
+        RUNNER_IGNORED_MSG("Entries received from the first monitor are not as expected");
+    if (!validateEntries(entries2, 100, 100))
+        RUNNER_IGNORED_MSG("Entries received from the second monitor are not as expected");
+}
+
+RUNNER_TEST_GROUP_INIT(cynara_monitor_tests)
+
+RUN_CYNARA_TEST(tcm01_config_invalid_param)
+RUN_CYNARA_TEST(tcm02_config_buffer_oversize)
+RUN_CYNARA_TEST(tcm03_init_invalid_param)
+RUN_CYNARA_TEST(tcm04_entries_get_flush_no_entries)
+RUN_CYNARA_TEST(tcm05_entries_get_no_flush)
+RUN_CYNARA_TEST(tcm06_entries_get_flush)
+RUN_CYNARA_TEST(tcm07_entries_get_two)
diff --git a/src/framework/include/dpl/test/test_case.h b/src/framework/include/dpl/test/test_case.h

index d08d2e0..a731e07 100644 (file)
--- a/src/framework/include/dpl/test/test_case.h
+++ b/src/framework/include/dpl/test/test_case.h
@@ -24,6 +24,8 @@
  #define DPL_TEST_CASE_H
  
  #include <string>
+#include <set>
+#include <memory>
  
  #include <dpl/test/performance_result.h>
  
@@ -63,7 +65,8 @@ private:
      PerformanceResultPtr m_performance;
  };
  
-typedef TestCase* TestCasePtr;
+typedef std::shared_ptr<TestCase> TestCasePtr;
+typedef std::list<TestCasePtr> TestCaseSet;
  
  } // namespace Test
  } // namespace DPL
diff --git a/src/framework/include/dpl/test/test_group.h b/src/framework/include/dpl/test/test_group.h

new file mode 100644 (file)

index 0000000..3d9321d
--- /dev/null
+++ b/src/framework/include/dpl/test/test_group.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+/*
+ * @file        test_group.h
+ * @author      Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+ * @version     1.0
+ * @brief       Base/default class describing a group of tests
+ */
+
+#ifndef DPL_TEST_GROUP_H
+#define DPL_TEST_GROUP_H
+
+#include <string>
+#include <functional>
+
+#include <dpl/test/test_case.h>
+
+namespace DPL {
+namespace Test {
+
+class TestGroup
+{
+public:
+    TestGroup() {}
+
+    virtual ~TestGroup()
+    {
+    }
+
+    const TestCaseSet& GetTests() const
+    {
+        return m_tests;
+    }
+
+    void RemoveIf(const std::function<bool(const TestCasePtr)>& predFn)
+    {
+        m_tests.remove_if(predFn);
+    }
+
+    void Add(TestCase* test)
+    {
+        m_tests.emplace_back(test);
+    }
+
+    virtual void Init() {};
+    virtual void Finish() {};
+
+private:
+    std::string m_name;
+    TestCaseSet m_tests;
+};
+
+typedef TestGroup* TestGroupPtr;
+
+} // namespace Test
+} // namespace DPL
+
+#endif // DPL_TEST_CASE_H
diff --git a/src/framework/include/dpl/test/test_runner.h b/src/framework/include/dpl/test/test_runner.h

index 93809ae..e96d88b 100644 (file)
--- a/src/framework/include/dpl/test/test_runner.h
+++ b/src/framework/include/dpl/test/test_runner.h
@@ -32,13 +32,13 @@
  #include <exception>
  #include <functional>
  #include <iostream>
-#include <list>
  #include <map>
  #include <queue>
  #include <set>
  #include <sstream>
  #include <string>
  #include <vector>
+#include <memory>
  
  #include <dpl/atomic.h>
  #include <dpl/availability.h>
@@ -46,7 +46,7 @@
  #include <dpl/gdbbacktrace.h>
  #include <dpl/singleton.h>
  #include <dpl/test/performance_result.h>
-#include <dpl/test/test_case.h>
+#include <dpl/test/test_group.h>
  #include <dpl/test/test_case_extended.h>
  #include <dpl/test/test_exception.h>
  #include <dpl/test/test_failed.h>
@@ -86,17 +86,13 @@ class TestRunner
      ~TestRunner();
  
    private:
-    typedef std::list<TestCasePtr> TestCaseList;
-    typedef std::map<std::string, TestCaseList> TestCaseGroupMap;
-    typedef std::set<TestCasePtr> TestCaseSet;
+    typedef std::map<std::string, TestGroup*> TestCaseGroupMap;
  
      TestCaseGroupMap m_testGroups;
-    TestCaseSet m_testCaseSet;
  
      TestCasePtr m_currentTestCase;
  
-
-    std::string m_currentGroup;
+    TestGroupPtr m_currentGroup;
  
      // Terminate without any logs.
      // Some test requires to call fork function.
@@ -124,8 +120,8 @@ class TestRunner
      void CollectResult(const std::string& id, const TestResult &result);
  
    public:
-    void InitGroup(const char* name);
-    void RegisterTest(TestCasePtr testCase);
+    void InitGroup(const char* name, TestGroup* group = nullptr);
+    void RegisterTest(TestCase* testCase);
      int ExecTestRunner(int argc, char *argv[]);
      typedef std::vector<std::string> ArgsList;
      int ExecTestRunner(ArgsList args);
@@ -204,6 +200,15 @@ protected:
  } // Test
  } // namespace DPL
  
+#define RUNNER_TEST_GROUP_INIT_ENV(GroupName, GroupEnv)                                 \
+    static int Static##GroupName##Init()                                                \
+    {                                                                                   \
+        DPL::Test::TestRunnerSingleton::Instance().InitGroup(#GroupName, new GroupEnv); \
+        return 0;                                                                       \
+    }                                                                                   \
+    const int DPL_UNUSED Static##GroupName##InitVar =                                   \
+        Static##GroupName##Init();
+
  #define RUNNER_TEST_GROUP_INIT(GroupName)                                 \
      static int Static##GroupName##Init()                                  \
      {                                                                     \
diff --git a/src/framework/src/assert.cpp b/src/framework/src/assert.cpp

index 636a7cf..6adc2ef 100644 (file)
--- a/src/framework/src/assert.cpp
+++ b/src/framework/src/assert.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2011-2020 Samsung Electronics Co., Ltd. All rights reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -58,7 +58,7 @@ void AssertProc(const char *condition,
          INTERNAL_LOG("### Function: " << function);
          INTERNAL_LOG(
              "################################################################################");
-    } catch (Exception) {
+    } catch (Exception&) {
          // Just ignore possible double errors
      }
  
diff --git a/src/framework/src/test_results_collector_console.cpp b/src/framework/src/test_results_collector_console.cpp

index dab84f8..796fb4e 100644 (file)
--- a/src/framework/src/test_results_collector_console.cpp
+++ b/src/framework/src/test_results_collector_console.cpp
@@ -21,6 +21,8 @@
   * @brief       Source file containing ConsoleCollector class definition
   */
  
+#include <cstdio>
+
  #include <fstream>
  #include <sstream>
  
@@ -56,6 +58,7 @@ std::string ConsoleCollector::CollectorSpecificHelp() const
  void ConsoleCollector::CollectCurrentTestGroupName(const std::string& name)
  {
      printf("Starting group %s\n", name.c_str());
+    fflush(stdout);
      m_currentGroup = name;
  }
  
@@ -68,6 +71,7 @@ void ConsoleCollector::Finish()
          PrintStats(group.first, group.second);
      }
      PrintStats("All tests together", m_stats);
+    fflush(stdout);
  }
  
  void ConsoleCollector::CollectResult(const std::string& id, const TestResult &result)
@@ -109,6 +113,7 @@ void ConsoleCollector::CollectResult(const std::string& id, const TestResult &re
      default:
          Assert(false && "Bad status");
      }
+    fflush(stdout);
      m_stats.AddTest(result.GetFailStatus());
      m_groupsStats[m_currentGroup].AddTest(result.GetFailStatus());
  }
diff --git a/src/framework/src/test_runner.cpp b/src/framework/src/test_runner.cpp

index dc033a4..26a11d2 100644 (file)
--- a/src/framework/src/test_runner.cpp
+++ b/src/framework/src/test_runner.cpp
@@ -82,15 +82,18 @@ TestResult::FailStatus TryCatch(const std::function<void(void)> &func, std::stri
      return TestResult::FailStatus::NONE;
  }
  
-void TestRunner::RegisterTest(TestCasePtr testCase)
+void TestRunner::RegisterTest(TestCase* testCase)
  {
-    m_testGroups[m_currentGroup].push_back(testCase);
-    m_testCaseSet.insert(testCase);
+    m_currentGroup->Add(testCase);
  }
  
-void TestRunner::InitGroup(const char* name)
+void TestRunner::InitGroup(const char* name, TestGroup* group)
  {
-    m_currentGroup = name;
+    if (group == nullptr)
+        group = new TestGroup();
+
+    m_testGroups[name] = group;
+    m_currentGroup = group;
  }
  
  void TestRunner::normalizeXMLTag(std::string& str, const std::string& testcase)
@@ -119,11 +122,12 @@ bool TestRunner::filterGroupsByXmls(const std::vector<std::string> & files)
      std::string testsuite;
      if(!m_testGroups.empty())
      {
-        for(TestCaseGroupMap::const_iterator cit = m_testGroups.begin(); cit != m_testGroups.end(); ++cit)
+        for(auto cit = m_testGroups.begin(); cit != m_testGroups.end(); ++cit)
          {
-            if(!cit->second.empty())
+            const TestCaseSet& tl = cit->second->GetTests();
+            if(!tl.empty())
              {
-                for(TestCaseList::const_iterator cj = cit->second.begin(); cj != cit->second.end(); ++cj)
+                for(auto cj = tl.begin(); cj != tl.end(); ++cj)
                  {
                      std::string name = (*cj)->GetName();
                      std::string::size_type st = name.find('_');
@@ -209,15 +213,9 @@ bool TestRunner::filterGroupsByXmls(const std::vector<std::string> & files)
  bool TestRunner::filterByXML(std::map<std::string, bool> & casesMap)
  {
      for (auto &group : m_testGroups) {
-        TestCaseList newList;
-        for (auto &tc : group.second)
-        {
-            if (casesMap.find(tc->GetName()) != casesMap.end()) {
-                casesMap[tc->GetName()] = true;
-                newList.push_back(tc);
-            }
-        }
-        group.second = newList;
+        group.second->RemoveIf([&](const TestCasePtr test){
+            return (casesMap.find(test->GetName()) == casesMap.end());
+        });
      }
      for (auto &cs : casesMap)
      {
@@ -276,6 +274,7 @@ void TestRunner::RunTestCase(TestCasePtr testCase)
              if (!testReason.empty())
                  testReason += "\n";
              testReason += finishReason;
+            break;
          case TestResult::FailStatus::NONE:
              if (!cleanupReason.empty()) {
                  if (!testReason.empty())
@@ -305,20 +304,21 @@ void TestRunner::RunTests()
  
      unsigned count = 0;
      for (auto &group : m_testGroups) {
-        count += group.second.size();
+        count += group.second->GetTests().size();
      }
      fprintf(stderr, "%sFound %d testcases...%s\n", GREEN_BEGIN, count, GREEN_END);
      fprintf(stderr, "%s%s%s\n", GREEN_BEGIN, "Running tests...", GREEN_END);
      for (auto &group : m_testGroups) {
-        TestCaseList list = group.second;
-        if (!list.empty()) {
+        const TestCaseSet& set = group.second->GetTests();
+        if (!set.empty()) {
+            group.second->Init();
+
              for (auto &collector : m_collectors) {
                  collector.second->CollectCurrentTestGroupName(group.first);
              }
-            list.sort([](const TestCasePtr &a, const TestCasePtr &b) { return (*a < *b); });
  
-            for (TestCaseList::const_iterator iterator = list.begin();
-                 iterator != list.end();
+            for (TestCaseSet::const_iterator iterator = set.begin();
+                 iterator != set.end();
                   ++iterator)
              {
                  TestCasePtr test = *iterator;
@@ -334,6 +334,7 @@ void TestRunner::RunTests()
                      return;
                  }
              }
+            group.second->Finish();
          }
      }
  
@@ -415,8 +416,8 @@ std::string TestRunner::getConcatedFailReason(const std::string &reason)
  
  TestRunner::~TestRunner()
  {
-    for(auto &t : m_testCaseSet)
-        delete t;
+    for(auto &g : m_testGroups)
+        delete g.second;
  }
  
  void TestRunner::CollectResult(const std::string& id, const TestResult& result)
@@ -553,7 +554,7 @@ int TestRunner::ExecTestRunner(ArgsList args)
          if (arg.find(startCmd) == 0) {
              arg.erase(0, startCmd.length());
              for (auto &group : m_testGroups) {
-                for (auto &tc : group.second) {
+                for (auto &tc : group.second->GetTests()) {
                      if (tc->GetName() == arg) {
                          m_startTestId = arg;
                          break;
@@ -572,13 +573,14 @@ int TestRunner::ExecTestRunner(ArgsList args)
              return 0;
          } else if (arg.find(groupId) == 0) {
              arg.erase(0, groupId.length());
-            TestCaseGroupMap::iterator found = m_testGroups.find(arg);
-            if (found != m_testGroups.end()) {
-                std::string name = found->first;
-                TestCaseList newList = found->second;
-                m_testGroups.clear();
-                m_testGroups[name] = newList;
-            } else {
+            for (auto it = m_testGroups.begin(); it != m_testGroups.end();) {
+                if (it->first == arg)
+                    it++;
+                else
+                    it = m_testGroups.erase(it);
+            }
+
+            if (m_testGroups.empty()) {
                  fprintf(stderr, "Group %s not found\n", arg.c_str());
                  InvalidArgs();
                  Usage();
@@ -595,7 +597,14 @@ int TestRunner::ExecTestRunner(ArgsList args)
              return 0;
          } else if (arg.find(listInGroup) == 0) {
              arg.erase(0, listInGroup.length());
-            for (auto &test : m_testGroups[arg]) {
+            auto it = m_testGroups.find(arg);
+            if (it == m_testGroups.end()) {
+                fprintf(stderr, "Group %s not found\n", arg.c_str());
+                InvalidArgs();
+                Usage();
+                return -1;
+            }
+            for (auto &test : it->second->GetTests()) {
                  printf("ID:%s\n", test->GetName().c_str());
              }
              return 0;
@@ -640,14 +649,9 @@ int TestRunner::ExecTestRunner(ArgsList args)
  
              pcrecpp::RE re(arg.c_str());
              for (auto &group : m_testGroups) {
-                TestCaseList newList;
-                for (auto &tc : group.second)
-                {
-                    if (re.PartialMatch(tc->GetName())) {
-                        newList.push_back(tc);
-                    }
-                }
-                group.second = newList;
+                group.second->RemoveIf([&](const TestCasePtr& test){
+                    return !re.PartialMatch(test->GetName());
+                });
              }
          } else if (arg.find(test) == 0) {
              arg.erase(0, test.length());
@@ -670,14 +674,9 @@ int TestRunner::ExecTestRunner(ArgsList args)
  
              pcrecpp::RE re(arg.c_str());
              for (auto &group : m_testGroups) {
-                TestCaseList newList;
-                for (auto &tc : group.second)
-                {
-                    if (re.FullMatch(tc->GetName())) {
-                        newList.push_back(tc);
-                    }
-                }
-                group.second = newList;
+                group.second->RemoveIf([&](const TestCasePtr& test){
+                    return !re.FullMatch(test->GetName());
+                });
              }
          } else if(arg.find(onlyFromXML) == 0) {
              arg.erase(0, onlyFromXML.length());
@@ -718,7 +717,7 @@ int TestRunner::ExecTestRunner(ArgsList args)
      if(justList)
      {
          for (auto &group : m_testGroups) {
-            for (auto &tc : group.second) {
+            for (auto &tc : group.second->GetTests()) {
                  printf("ID:%s:%s\n", group.first.c_str(), tc->GetName().c_str());
              }
          }
diff --git a/src/security-manager-tests/CMakeLists.txt b/src/security-manager-tests/CMakeLists.txt

index 9d9bcf8..cf08aa4 100644 (file)
--- a/src/security-manager-tests/CMakeLists.txt
+++ b/src/security-manager-tests/CMakeLists.txt
@@ -46,6 +46,7 @@ SET(SEC_MGR_SOURCES
      ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_credentials.cpp
      ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_dyntransition.cpp
      ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_nss.cpp
+    ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_paths.cpp
      ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_privacy_manager.cpp
      ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_private_sharing.cpp
      ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_public_sharing.cpp
@@ -56,6 +57,7 @@ SET(SEC_MGR_SOURCES
      ${PROJECT_SOURCE_DIR}/src/security-manager-tests/security_manager_tests.cpp
      ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/policy_configuration.cpp
      ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_commons.cpp
+    ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/template_parser.cpp
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_client.cpp
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_admin.cpp
      ${PROJECT_SOURCE_DIR}/src/cynara-tests/plugins/plugins.cpp
diff --git a/src/security-manager-tests/common/sm_commons.cpp b/src/security-manager-tests/common/sm_commons.cpp

index acaf64d..16db76c 100644 (file)
--- a/src/security-manager-tests/common/sm_commons.cpp
+++ b/src/security-manager-tests/common/sm_commons.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2016-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -21,19 +21,23 @@
  #include <grp.h>
  #include <string>
  #include <sys/capability.h>
+#include <sys/prctl.h>
  #include <sys/stat.h>
  #include <sys/types.h>
  #include <unistd.h>
  #include <unordered_map>
  #include <cstdlib>
  
+#include <array>
  #include <unordered_set>
+#include <utility>
  #include <vector>
  
  #include <security-manager-types.h>
  #include <app-runtime.h>
  #include <sys/smack.h>
  #include <privilege_info.h>
+#include <scoped_process_label.h>
  
  #include <cynara_test_client.h>
  #include <dpl/test/test_runner.h>
@@ -46,9 +50,17 @@
  #include <policy_configuration.h>
  #include "tzplatform.h"
  #include <label_generator.h>
+#include <template_parser.h>
+#include <temp_test_user.h>
  
  using namespace SecurityManagerTest;
  
+#define CONF_DIR "/usr/share/security-manager/policy/"
+#define SMACK_RULES_PATH "/sys/fs/smackfs/load2"
+
+#define ALLOW 0
+#define DENY -1
+
  // Common DB/nftw checks
  
  // nftw doesn't allow passing user data to functions. Work around by using global variable
@@ -180,7 +192,75 @@ void sm_app_has_privileges(const AppInstallHelper &app,
      }
  }
  
-static void check_app(const std::string &appId, const std::string &pkgId, bool shouldBeInstalled)
+static void check_app_smack_accesses(const std::string &appId, const std::string &pkgId,
+                                     bool isHybrid = false)
+{
+    static const std::vector<AccessRequest> rules[] =
+        {parseSmackRulesFile(CONF_DIR "pkg-rules-template.smack"),
+         parseSmackRulesFile(CONF_DIR "app-rules-template.smack")};
+
+    const std::pair<std::string, std::string> switchAliases[] =
+        {std::make_pair("~PATH_RW~", generatePathRWLabel(pkgId)),
+         std::make_pair("~PATH_RO~", generatePathROLabel(pkgId)),
+         std::make_pair("~PATH_SHARED_RO~", getSharedROPathLabel()),
+         std::make_pair("~PROCESS~", generateProcessLabel(appId, pkgId, isHybrid))};
+
+    for (auto rule : rules[isHybrid]) {
+        if (rule.object == "~PATH_TRUSTED~") {
+            continue;
+        }
+
+        for (const auto &alias : switchAliases) {
+            if (rule.subject == alias.first) {
+                rule.subject = alias.second;
+            }
+            if (rule.object == alias.first) {
+                rule.object = alias.second;
+            }
+        }
+
+        if (rule.object == "_") {
+            rule.access = "rx" + rule.access;
+        }
+
+        check_exact_smack_accesses(rule.subject, rule.object, rule.access);
+    }
+}
+
+static void assert_no_label_in_rule(const AccessRequest &rule, const std::string &label)
+{
+    RUNNER_ASSERT_MSG(rule.object != label && rule.subject != label,
+                      "Smack rule left after uninstallation process." <<
+                      " Subject: " << rule.subject <<
+                      " object: " << rule.object <<
+                      " access: " << rule.access);
+}
+
+static void check_pkg_smack_rules_after_uninstall(const std::string &appId, const std::string &pkgId)
+{
+    const std::vector<AccessRequest> rules(std::move(parseSmackRulesFile(SMACK_RULES_PATH)));
+    const std::string labels[] = {generatePathRWLabel(pkgId),
+                                  generatePathROLabel(pkgId),
+                                  generateProcessLabel(appId, pkgId, true),
+                                  generateProcessLabel(appId, pkgId)};
+    for (const auto &rule : rules) {
+        for (const auto &label : labels) {
+            assert_no_label_in_rule(rule, label);
+        }
+    }
+}
+
+static void check_hybrid_app_smack_rules_after_uninstall(const std::string &appId, const std::string &pkgId)
+{
+    const std::vector<AccessRequest> rules(std::move(parseSmackRulesFile(SMACK_RULES_PATH)));
+    const std::string appLabel = generateProcessLabel(appId, pkgId, true);
+    for (const auto &rule : rules) {
+        assert_no_label_in_rule(rule, appLabel);
+    }
+}
+
+static void check_app(const std::string &appId, const std::string &pkgId,
+                      bool shouldBeInstalled, bool isHybrid, bool removePkg)
  {
      char *retPkgId;
      int ret = security_manager_get_app_pkgid(&retPkgId, appId.c_str());
@@ -193,14 +273,21 @@ static void check_app(const std::string &appId, const std::string &pkgId, bool s
              RUNNER_ASSERT_MSG(strcmp(pkgId.c_str(), retPkgId) == 0,
                                "The given appId does not belong to the given pkgId.");
          }
+        check_app_smack_accesses(appId, pkgId, isHybrid);
      } else {
          RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, "The given appId is installed.");
+
+        if (removePkg) {
+            check_pkg_smack_rules_after_uninstall(appId, pkgId);
+        } else if (isHybrid) {
+            check_hybrid_app_smack_rules_after_uninstall(appId, pkgId);
+        }
      }
  }
  
-void check_app_after_install(const std::string &app_id, const std::string &pkg_id)
+void check_app_after_install(const std::string &app_id, const std::string &pkg_id, bool isHybrid)
  {
-    check_app(app_id, pkg_id, true);
+    check_app(app_id, pkg_id, true, isHybrid, false);
  }
  
  static void check_app_gids(const std::string &app_id, const std::vector<gid_t> &allowed_gids)
@@ -238,8 +325,7 @@ void check_app_after_install(const std::string &app_id, const std::string &pkg_i
                               const privileges_t &denied_privs,
                               bool isHybrid)
  {
-    check_app(app_id, pkg_id, true);
-
+    check_app(app_id, pkg_id, true, isHybrid, false);
      /* Privileges should be granted to all users if root installs app */
      check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs, isHybrid);
  
@@ -269,15 +355,17 @@ void check_path(const std::string &path, const std::string &label, bool transmut
      RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << path);
  }
  
-void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id)
+void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
+                               bool isHybrid, bool removePkg)
  {
-    check_app(app_id, pkg_id, false);
+    check_app(app_id, pkg_id, false, isHybrid, removePkg);
  }
  
  void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
-                               const privileges_t &privileges, bool isHybrid)
+                               const privileges_t &privileges, bool isHybrid,
+                               bool removePkg)
  {
-    check_app(app_id, pkg_id, false);
+    check_app(app_id, pkg_id, false, isHybrid, removePkg);
  
      /* Privileges should not be granted anymore to any user */
      check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, {}, privileges, isHybrid);
@@ -354,22 +442,30 @@ void accessCheck(const std::string &id, const std::string &path, int accessType,
                         << " (" << accessTypeToString.at(accessType) << ")");
  }
  
+void accessTest(const std::string &id, const std::string &testPath, int accessType) {
+    int oppositeAccessType = getOppositeAccessType(accessType);
+
+    if (accessType != 0) {
+        accessCheck(id, testPath, accessType, ALLOW);
+    }
+    if (oppositeAccessType != 0) {
+        static const std::vector<int> singleAccessTypes = {R_OK, W_OK, X_OK};
+        for (auto singleAccessType : singleAccessTypes) {
+            if (oppositeAccessType & singleAccessType) {
+                accessCheck(id, testPath, singleAccessType, DENY);
+            }
+        }
+    }
+}
+
  void runAccessTest(const std::string &label, uid_t uid, gid_t gid,
                     const std::string &testPath, int accessType) {
      auto fun = [&](){
-        int oppositeAccessType = getOppositeAccessType(accessType);
-        change_label(label.c_str());
+        ScopedProcessLabel spl(label, false);
          RUNNER_ASSERT_ERRNO_MSG(0 == drop_root_privileges(uid, gid),
                                  "drop_root_privileges failed.");
  
-        if (accessType != 0)
-            accessCheck(label, testPath, accessType, 0);
-        if (oppositeAccessType != 0) {
-            std::vector<int> singleAccessTypes = {R_OK, W_OK, X_OK};
-            for (auto singleAccessType : singleAccessTypes)
-                if (oppositeAccessType & singleAccessType)
-                    accessCheck(label, testPath, singleAccessType, -1);
-        }
+        accessTest(label, testPath, accessType);
      };
  
      runInChildParentWait(fun);
@@ -377,18 +473,10 @@ void runAccessTest(const std::string &label, uid_t uid, gid_t gid,
  
  void runAccessTest(const AppInstallHelper &app, const std::string &testPath, int accessType) {
      auto fun = [&](){
-        int oppositeAccessType = getOppositeAccessType(accessType);
          Api::setProcessLabel(app.getAppId());
          RUNNER_ASSERT_ERRNO_MSG(0 == drop_root_privileges(app.getUID(), app.getGID()),
                                  "drop_root_privileges failed.");
-        if (accessType != 0)
-            accessCheck(app.getAppId(), testPath, accessType, 0);
-        if (oppositeAccessType != 0) {
-            std::vector<int> singleAccessTypes = {R_OK, W_OK, X_OK};
-            for (auto singleAccessType : singleAccessTypes)
-                if (oppositeAccessType & singleAccessType)
-                    accessCheck(app.getAppId(), testPath, singleAccessType, -1);
-        }
+        accessTest(app.getAppId(), testPath, accessType);
      };
  
      runInChildParentWait(fun);
@@ -428,3 +516,29 @@ int countPrivacyPrivileges(const std::vector<std::string> &privs) {
      return std::count_if(privs.begin(), privs.end(), isPrivilegePrivacy);
  }
  
+int setLauncherSecurityAttributes(uid_t uid, gid_t gid)
+{
+    // Add launcher capabilities (cap_dac_override, cap_setgid, cap_sys_admin, cap_mac_admin),
+    // launcher is user process, we must drop root privileges (cap_setgid, cap_setuid are needed).
+    // By default, the permitted capability set is cleared when credentials change is made
+    // (if a process drops a capability from its permitted set, it can never reacquire that capability),
+    // setting the "keep capabilities" flag prevents it from being cleared.
+    // Effective capability set is always cleared when credential change is made, we need to add them again.
+
+    setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep cap_setuid+ep");
+    int ret = prctl(PR_SET_KEEPCAPS, 1, 0, 0);
+    if (ret != 0)
+        return ret;
+
+    ret = drop_root_privileges(uid, gid);
+    if (ret != 0)
+        return ret;
+
+    setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep");
+    return ret;
+}
+int setLauncherSecurityAttributes(TemporaryTestUser &user)
+{
+    return setLauncherSecurityAttributes(user.getUid(), user.getGid());
+}
+
diff --git a/src/security-manager-tests/common/sm_commons.h b/src/security-manager-tests/common/sm_commons.h

index 902d70c..6840281 100644 (file)
--- a/src/security-manager-tests/common/sm_commons.h
+++ b/src/security-manager-tests/common/sm_commons.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2016-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -45,17 +45,19 @@ void check_app_permissions(const std::string &app_id, const std::string &pkg_id,
  void sm_app_has_privileges(const AppInstallHelper &app,
                             const std::vector<std::string> &privileges,
                             int result);
-void check_app_after_install(const std::string &app_id, const std::string &pkg_id);
+void check_app_after_install(const std::string &app_id, const std::string &pkg_id,
+                             bool isHybrid = false);
  void check_app_after_install(const std::string &app_id, const std::string &pkg_id,
                               const privileges_t &allowed_privs,
                               const privileges_t &denied_privs,
                               bool isHybrid = false);
  void check_path(const std::string &path, const std::string &label,
                  bool transmute = true, bool execute = false);
-void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id);
  void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
-                               const privileges_t &privileges, bool isHybrid = false);
-
+                               bool isHybrid = false, bool removePkg = false);
+void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
+                               const privileges_t &privileges, bool isHybrid = false,
+                               bool removePkg = false);
  std::string access_opposite(std::string &access);
  void check_exact_smack_accesses(const std::string &subject,
                                  const std::string &object,
@@ -63,6 +65,7 @@ void check_exact_smack_accesses(const std::string &subject,
  
  CapsSetsUniquePtr setCaps(const char *cap_string);
  
+void accessTest(const std::string &id, const std::string &testPath, int accessType);
  void runAccessTest(const std::string &label, uid_t uid, gid_t gid,
                     const std::string &testPath, int accessType);
  void runAccessTest(const AppInstallHelper &app, const std::string &testPath, int accessType);
@@ -72,3 +75,6 @@ bool isAskuserDisabled();
  bool isPrivilegePrivacy(const std::string &priv);
  int countPrivacyPrivileges(const PrivilegeVector &privs);
  int countPrivacyPrivileges(const std::vector<std::string> &privs);
+
+int setLauncherSecurityAttributes(uid_t uid, gid_t gid);
+int setLauncherSecurityAttributes(TemporaryTestUser &user);
diff --git a/src/security-manager-tests/common/template_parser.cpp b/src/security-manager-tests/common/template_parser.cpp

new file mode 100644 (file)

index 0000000..83c5b46
--- /dev/null
+++ b/src/security-manager-tests/common/template_parser.cpp
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+/*
+ * @file        template_parser.cpp
+ * @author      Alicja Kluczek <a.kluczek@samsung.com>
+ * @brief       Parsing function for smack rules templates
+ */
+#include "template_parser.h"
+#include <fstream>
+
+std::vector<AccessRequest> parseSmackRulesFile(const std::string &path)
+{
+    std::vector<AccessRequest> rules;
+    std::ifstream rulesFile(path);
+    std::string object, subject, access;
+    while (rulesFile >> subject >> object >> access) {
+        rules.emplace_back(std::move(subject), std::move(object), std::move(access));
+    }
+    return rules;
+}
+
diff --git a/src/security-manager-tests/common/template_parser.h b/src/security-manager-tests/common/template_parser.h

new file mode 100644 (file)

index 0000000..81a3674
--- /dev/null
+++ b/src/security-manager-tests/common/template_parser.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+/*
+ * @file        template_parser.h
+ * @author      Alicja Kluczek <a.kluczek@samsung.com>
+ * @brief       Parsing function for smack rules templates
+ */
+#include <vector>
+#include <string>
+
+struct AccessRequest {
+    AccessRequest(std::string sub, std::string obj, std::string acc)
+    : subject(std::move(sub)),
+      object(std::move(obj)),
+      access(std::move(acc))
+    {}
+    std::string subject;
+    std::string object;
+    std::string access;
+};
+
+std::vector<AccessRequest> parseSmackRulesFile(const std::string &path);
+
diff --git a/src/security-manager-tests/test_cases.cpp b/src/security-manager-tests/test_cases.cpp

index 406d303..8b7a7fc 100644 (file)
--- a/src/security-manager-tests/test_cases.cpp
+++ b/src/security-manager-tests/test_cases.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2016-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -35,7 +35,6 @@
  #include <message_pipe.h>
  #include <policy_configuration.h>
  #include <scoped_installer.h>
-#include <scoped_label.h>
  #include <service_manager.h>
  #include <sm_api.h>
  #include <sm_commons.h>
@@ -45,6 +44,7 @@
  #include <tests_common.h>
  #include <tzplatform.h>
  #include <uds.h>
+#include <scoped_process_label.h>
  
  using namespace SecurityManagerTest;
  
@@ -139,29 +139,27 @@ RUNNER_TEST(security_manager_01d_app_install_complicated_dir_tree)
      check_path(privateDir, generatePathRWLabel(pkgId));
      check_path(privateRODir, generatePathROLabel(pkgId), false);
      check_path(publicRODir, getPublicPathLabel());
-    check_path(sharedRODir, generatePathSharedROLabel(pkgId));
+    check_path(sharedRODir, getSharedROPathLabel());
  }
  
  RUNNER_TEST(security_manager_02_app_install_uninstall_full)
  {
-    PolicyConfiguration policy;
-    PolicyConfiguration::PrivGroupMap privGroupMap = policy.getPrivGroupMap();
-
-    RUNNER_ASSERT_MSG(privGroupMap.size() >= 4, "Failed to get policy of a suitable size");
-
-    privileges_t allowedPrivs;
-    privileges_t someDeniedPrivs;
+    privileges_t defaultPrivs = {
+        "http://tizen.org/privilege/internal/device/audio",
+        "http://tizen.org/privilege/internal/device/display",
+        "http://tizen.org/privilege/internal/device/video"
+    };
+    privileges_t allowedPrivs = {
+        "http://tizen.org/privilege/camera",
+        "http://tizen.org/privilege/mediastorage"
+    };
+    privileges_t someDeniedPrivs = {
+        "http://tizen.org/privilege/internet",
+        "http://tizen.org/privilege/externalstorage"
+    };
  
-    int counter = 0;
-    for (auto const &it: privGroupMap) {
-        if (counter < 2)
-            allowedPrivs.push_back(it.first);
-        else if (counter < 4)
-            someDeniedPrivs.push_back(it.first);
-        else
-            break;
-        ++counter;
-    }
+    privileges_t defaultAllowedPrivs = defaultPrivs;
+    defaultAllowedPrivs.insert(defaultAllowedPrivs.end(), allowedPrivs.begin(), allowedPrivs.end());
  
      AppInstallHelper app("sm_test_02");
      app.createPrivateDir();
@@ -173,12 +171,12 @@ RUNNER_TEST(security_manager_02_app_install_uninstall_full)
          ScopedInstaller appInstall(app);
  
          check_app_after_install(app.getAppId(), app.getPkgId(),
-                                app.getPrivilegesNames(), someDeniedPrivs);
+                                defaultAllowedPrivs, someDeniedPrivs);
  
          check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
          check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
          check_path(app.getPublicDir(), getPublicPathLabel());
-        check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId()));
+        check_path(app.getSharedRODir(), getSharedROPathLabel());
      }
  
      check_app_after_uninstall(app.getAppId(), app.getPkgId(), app.getPrivilegesNames());
@@ -446,9 +444,33 @@ RUNNER_TEST(security_manager_09_app_install_constraint_check)
          }
      };
  
-    std::vector<TemporaryTestUser> users = {
-            {"sm_test_09_user_name_0", GUM_USERTYPE_NORMAL, false},
-            {"sm_test_09_user_name_1", GUM_USERTYPE_NORMAL, false}
+    auto update = [](const TemporaryTestUser& user,
+                     const char *pkgId,
+                     const char *appId,
+                     const char *version,
+                     const char *author,
+                     bool isHybrid,
+                     enum lib_retcode expected,
+                     bool uninstall = true)
+    {
+        InstallRequest request;
+        request.setAppId(appId);
+        request.setPkgId(pkgId);
+        request.setAppTizenVersion(version);
+        request.setAuthorId(author);
+        request.setUid(user.getUid());
+        if (isHybrid)
+            request.setHybrid();
+        Api::update(request, expected);
+
+        if(expected == SECURITY_MANAGER_SUCCESS && uninstall) {
+            Api::uninstall(request);
+        }
+    };
+
+    std::array<TemporaryTestUser, 2> users{
+        TemporaryTestUser{"sm_test_09_user_name_0", GUM_USERTYPE_NORMAL, false},
+        TemporaryTestUser{"sm_test_09_user_name_1", GUM_USERTYPE_NORMAL, false}
      };
  
      for(auto& gu : users)
@@ -464,16 +486,18 @@ RUNNER_TEST(security_manager_09_app_install_constraint_check)
      install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS, false);
      // uid_1, pkg_0, app_0, version_0, author_0, not hybrid -> ok (different uid)
      install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
-    // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> fail (different hybrid setting)
+    // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> ok for update (different hybrid setting)
      install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
-    // uid_0, pkg_0, app_1, version_0, author_0, hybrid -> fail (different hybrid setting)
-    install(users[0], pkgId[0], appId[1], version[0], author[0], hybrid[1],  SECURITY_MANAGER_ERROR_INPUT_PARAM);
-    // uid_1, pkg_0, app_0, version_0, author_0, hybrid -> fail (different hybrid setting)
-    install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+    update(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
+    // uid_0, pkg_0, app_1, version_0, author_0, hybrid -> ok (new app id)
+    install(users[0], pkgId[0], appId[1], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
+    // uid_1, pkg_0, app_0, version_0, author_0, hybrid -> ok (different hybrid setting)
+    install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
      // uid_1, pkg_0, app_0, version_0, author_1, not hybrid -> fail (author of app_0 must be the same)
      install(users[1], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
-    // uid_1, pkg_0, app_0, version_1, author_0, not hybrid -> ok (version upgrade)
-    install(users[1], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
+    // uid_1, pkg_0, app_0, version_1, author_0, not hybrid -> ok (version upgrade and different hybrid setting)
+    install(users[1], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+    update(users[1], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
      // uid_1, pkg_1, app_0, version_0, author_0, not hybrid -> fail (pkg of app_0 must be the same)
      install(users[1], pkgId[1], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
      // uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> ok (the same app again)
@@ -484,6 +508,98 @@ RUNNER_TEST(security_manager_09_app_install_constraint_check)
      install(users[0], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
  }
  
+RUNNER_TEST(security_manager_09a_install_many_apps_in_single_request)
+{
+    const std::string pkgId = "sm_test_09a_pkg_id_0";
+    const std::vector<std::string> appIds = {"sm_test_09a_app_id_0", "sm_test_09a_app_id_1", "sm_test_09a_app_id_2"};
+
+    {
+        ScopedInstaller appsInstall(appIds, pkgId);
+        // Installing many applications in single request
+        for (const auto &appId : appIds) {
+            check_app_after_install(appId, pkgId);
+        }
+    }
+
+    for (const auto &appId : appIds) {
+        check_app_after_uninstall(appId, pkgId);
+    }
+}
+
+RUNNER_TEST(security_manager_09b_install_many_apps_in_single_request_duplicated_ids)
+{
+    const std::string pkgId = "sm_test_09b_pkg_id_0";
+    const std::string appId = "sm_test_09b_app_id_0";
+
+    {
+        ScopedInstaller appsInstall({appId, appId}, pkgId);
+        check_app_after_install(appId, pkgId);
+    }
+
+    check_app_after_uninstall(appId, pkgId);
+}
+
+RUNNER_TEST(security_manager_09c_update_many_apps_in_single_request_hybrid_package)
+{
+    const std::vector<std::string> appIds = {"sm_test_09c_app_id_0", "sm_test_09c_app_id_1", "sm_test_09c_app_id_2"};
+    const std::string pkgId = "sm_test_09c_pkg_id_0";
+
+    {
+        ScopedInstaller appsInstall(appIds, pkgId);
+        // Package is not hybrid, every app has same policy.
+        for (const auto &appId : appIds) {
+            check_app_after_install(appId, pkgId);
+        }
+
+        // Updating package -- changing set of apps in package and setting hybrid mode
+        InstallRequest updateRequest;
+        updateRequest.setPkgId(pkgId);
+        updateRequest.setAppId(appIds[0]);
+        updateRequest.nextApp();
+        updateRequest.setAppId(appIds[1]);
+        updateRequest.setHybrid();
+
+        Api::update(updateRequest);
+        // Package became hybrid, so every app has its own Smack label
+        check_app_after_install(appIds[0], pkgId, true);
+        check_app_after_install(appIds[1], pkgId, true);
+        // Package became hybrid properly,
+        // so app not included in updated version of package was uninstalled.
+        check_app_after_uninstall(appIds[2], pkgId);
+    }
+
+    for (const auto &appId : appIds) {
+        check_app_after_uninstall(appId, pkgId, true, true);
+    }
+}
+
+RUNNER_TEST(security_manager_09d_uninstall_app_from_hybrid_package)
+{
+    const std::vector<std::string> appIds = {"sm_test_09d_app_id_0", "sm_test_09d_app_id_1", "sm_test_09d_app_id_2"};
+    const std::string pkgId = "sm_test_09d_pkg_id_0";
+    {
+        ScopedInstaller appsInstall(appIds, pkgId);
+
+        InstallRequest updateRequest;
+        updateRequest.setPkgId(pkgId);
+        for (unsigned int i = 0; i < appIds.size(); i++) {
+            if (i > 0) {
+                updateRequest.nextApp();
+            }
+            updateRequest.setAppId(appIds[i]);
+        }
+        updateRequest.setHybrid();
+        Api::update(updateRequest);
+
+        InstallRequest uninstRequest;
+        uninstRequest.setPkgId(pkgId);
+        uninstRequest.setAppId(appIds[0]);
+        Api::uninstall(uninstRequest);
+
+        check_app_after_uninstall(appIds[0], pkgId, true);
+    }
+}
+
  RUNNER_CHILD_TEST(security_manager_10_app_has_privilege)
  {
      const std::vector<std::string> allowedPrivs = {
@@ -751,12 +867,14 @@ RUNNER_TEST(security_manager_25d_local_user_set_install_type_invalid)
   */
  RUNNER_CHILD_TEST(security_manager_25e_unprivileged_install_type_global)
  {
+    RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
+
      TemporaryTestUser testUser("sm_test_25e_user_name", GUM_USERTYPE_NORMAL);
      testUser.create();
  
      AppInstallHelper app("sm_test_25e");
  
-    change_label("_");
+    ScopedProcessLabel spl("_", false);
      RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
                              "drop_root_privileges failed");
  
@@ -770,12 +888,14 @@ RUNNER_CHILD_TEST(security_manager_25e_unprivileged_install_type_global)
  
  RUNNER_CHILD_TEST(security_manager_25f_unprivileged_install_type_preloaded)
  {
+    RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
+
      TemporaryTestUser testUser("sm_test_25f_user_name", GUM_USERTYPE_NORMAL);
      testUser.create();
  
      AppInstallHelper app("sm_test_25f");
  
-    change_label("_");
+    ScopedProcessLabel spl("_", false);
      RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
                              "drop_root_privileges failed");
      InstallRequest invalidReq;
@@ -785,7 +905,6 @@ RUNNER_CHILD_TEST(security_manager_25f_unprivileged_install_type_preloaded)
      Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
  }
  
-
  RUNNER_CHILD_TEST(security_manager_25g_local_user_set_install_type_local)
  {
      std::vector<std::string> allowedPrivs = {
@@ -833,7 +952,7 @@ RUNNER_CHILD_TEST(security_manager_25h_local_path_global_install)
      invalidReq.setPkgId(app.getPkgId());
      invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
      invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
-    Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+    Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
  }
  
  RUNNER_CHILD_TEST(security_manager_25i_local_path_preloaded_install)
@@ -849,7 +968,7 @@ RUNNER_CHILD_TEST(security_manager_25i_local_path_preloaded_install)
      invalidReq.setPkgId(app.getPkgId());
      invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
      invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
-    Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+    Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
  }
  
  RUNNER_CHILD_TEST(security_manager_25j_global_path_local_install)
@@ -871,6 +990,38 @@ RUNNER_CHILD_TEST(security_manager_25j_global_path_local_install)
      invalidReq.addPath(appGlobal.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
      invalidReq.setInstallType(SM_APP_INSTALL_LOCAL);
  
-    Api::install(invalidReq, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+    Api::install(invalidReq, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
  }
  
+RUNNER_CHILD_TEST(security_manager_26_hybrid_pkg_uninstall_artifacts_check)
+{
+    TemporaryTestUser testUser("sm_test_26_user_name", GUM_USERTYPE_NORMAL);
+    testUser.create();
+
+    const std::vector<std::string> allowedPrivs = {
+        "http://tizen.org/privilege/wifidirect",
+        "http://tizen.org/privilege/telephony"
+    };
+
+    AppInstallHelper app1("sm_test_26_1", "sm_test_26", testUser.getUid());
+    app1.addPrivileges(allowedPrivs);
+    app1.setHybrid();
+
+    AppInstallHelper app2("sm_test_26_2", "sm_test_26", testUser.getUid());
+    app2.addPrivileges(allowedPrivs);
+    app2.setHybrid();
+
+    {
+        ScopedInstaller appInstall1(app1);
+        ScopedInstaller appInstall2(app2);
+        check_app_permissions(app1.getAppId(), app1.getPkgId(), testUser.getUidString(),
+                              allowedPrivs, {}, app1.getIsHybrid());
+        check_app_permissions(app2.getAppId(), app2.getPkgId(), testUser.getUidString(),
+                              allowedPrivs, {}, app2.getIsHybrid());
+
+    }
+    check_app_permissions(app1.getAppId(), app1.getPkgId(), testUser.getUidString(),
+                          {}, allowedPrivs, app1.getIsHybrid());
+    check_app_permissions(app2.getAppId(), app2.getPkgId(), testUser.getUidString(),
+                          {}, allowedPrivs, app2.getIsHybrid());
+}
diff --git a/src/security-manager-tests/test_cases_app_policy.cpp b/src/security-manager-tests/test_cases_app_policy.cpp

index afd9a09..bb3ab94 100644 (file)
--- a/src/security-manager-tests/test_cases_app_policy.cpp
+++ b/src/security-manager-tests/test_cases_app_policy.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2018 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
  #include <vector>
  
  #include <app_install_helper.h>
+#include <pkg_privacy_privileges.h>
  #include <scoped_installer.h>
  #include <sm_api.h>
  #include <sm_commons.h>
@@ -27,10 +28,10 @@
  #include <dpl/test/test_runner.h>
  #include <dpl/test/test_runner_child.h>
  
-const std::vector<std::string> TEST_PRIVACY_PRIVILEGES = {
-        "http://tizen.org/privilege/callhistory.read",
-        "http://tizen.org/privilege/account.read",
-        "http://tizen.org/privilege/healthinfo" };
+const PrivilegeVector TEST_PRIVACY_PRIVILEGES = {
+    Privilege("http://tizen.org/privilege/callhistory.read", Privilege::PRIVACY),
+    Privilege("http://tizen.org/privilege/account.read", Privilege::PRIVACY),
+    Privilege("http://tizen.org/privilege/healthinfo", Privilege::PRIVACY) };
  
  using namespace SecurityManagerTest;
  
@@ -49,6 +50,7 @@ RUNNER_CHILD_TEST(security_manager_ap1_app_policy_fetch_for_self) {
      RUNNER_ASSERT_MSG(isAskuserDisabled() || expectedPolicyCount > 0,
              "Application won't be installed with any privacy privileges, fix test");
  
+    PkgPrivacyPrivileges setupPrivacyPrivs(app);
      ScopedInstaller appInstall(app);
  
      pid_t pid = fork();
@@ -103,6 +105,7 @@ RUNNER_CHILD_TEST(security_manager_ap2_app_policy_fetch_for_self_different_user)
      AppInstallHelper app("sm_test_ap2", tmpUser.getUid());
      app.addPrivileges(TEST_PRIVACY_PRIVILEGES);
  
+    PkgPrivacyPrivileges setupPrivacyPrivs(app);
      ScopedInstaller appInstall(app);
  
      pid_t pid = fork();
@@ -137,6 +140,7 @@ RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_user_
      app.setInstallType(SM_APP_INSTALL_GLOBAL);
      app.addPrivileges(TEST_PRIVACY_PRIVILEGES);
  
+    PkgPrivacyPrivileges setupPrivacyPrivs(app);
      ScopedInstaller appInstall(app);
  
      pid_t pid = fork();
@@ -171,7 +175,10 @@ RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_app)
      AppInstallHelper app2("sm_test_ap3_2", tmpUser.getUid());
      app2.addPrivileges(TEST_PRIVACY_PRIVILEGES);
  
+    PkgPrivacyPrivileges setupPrivacyPrivs1(app1);
      ScopedInstaller appInstall1(app1);
+
+    PkgPrivacyPrivileges setupPrivacyPrivs2(app2);
      ScopedInstaller appInstall2(app2);
  
      pid_t pid = fork();
diff --git a/src/security-manager-tests/test_cases_paths.cpp b/src/security-manager-tests/test_cases_paths.cpp

new file mode 100644 (file)

index 0000000..6e6652f
--- /dev/null
+++ b/src/security-manager-tests/test_cases_paths.cpp
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include <app_install_helper.h>
+#include <dpl/test/test_runner.h>
+#include <scoped_installer.h>
+#include <temp_test_user.h>
+#include <label_generator.h>
+#include <sm_commons.h>
+
+using namespace SecurityManagerTest;
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PATHS)
+
+static void checkPaths(const AppInstallHelper &app, AppInstallHelper::RootType type) {
+    check_path(app.getPrivateDir(0, type), generatePathRWLabel(app.getPkgId()));
+    check_path(app.getPrivateRODir(0, type), generatePathROLabel(app.getPkgId()), false);
+    check_path(app.getPublicDir(type), getPublicPathLabel());
+}
+
+RUNNER_TEST(security_manager_101_paths_global_extended)
+{
+    AppInstallHelper app("sm_test_101");
+    app.createPrivateDir(0, AppInstallHelper::RootType::EXTENDED);
+    app.createPrivateRODir(0, AppInstallHelper::RootType::EXTENDED);
+    app.createPublicDir(AppInstallHelper::RootType::EXTENDED);
+
+    ScopedInstaller install(app);
+
+    checkPaths(app, AppInstallHelper::RootType::EXTENDED);
+}
+
+RUNNER_TEST(security_manager_102_paths_local_extended)
+{
+    TemporaryTestUser user("sm_test_102", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    AppInstallHelper app("sm_test_102", user.getUid());
+    app.createPrivateDir(0, AppInstallHelper::RootType::EXTENDED);
+    app.createPrivateRODir(0, AppInstallHelper::RootType::EXTENDED);
+    app.createPublicDir(AppInstallHelper::RootType::EXTENDED);
+
+    ScopedInstaller install(app);
+
+    checkPaths(app, AppInstallHelper::RootType::EXTENDED);
+}
+
+RUNNER_TEST(security_manager_103_paths_global_skel)
+{
+    AppInstallHelper app("sm_test_103");
+    app.createPrivateDir(0, AppInstallHelper::RootType::SKEL);
+    app.createPrivateRODir(0, AppInstallHelper::RootType::SKEL);
+    app.createPublicDir(AppInstallHelper::RootType::SKEL);
+
+    ScopedInstaller install(app);
+
+    check_path(app.getPrivateDir(0, AppInstallHelper::RootType::SKEL), generatePathRWLabel(app.getPkgId()));
+    // Below doesn't work, because /etc/skel/apps_rw has transmute and label "User::Home", to which "System::Privileged" has a 't' access
+    //check_path(app.getPrivateRODir(0, AppInstallHelper::RootType::SKEL), generatePathROLabel(app.getPkgId()), false);
+    check_path(app.getPublicDir(AppInstallHelper::RootType::SKEL), getPublicPathLabel());
+}
+
+RUNNER_TEST(security_manager_104_paths_local_skel)
+{
+    TemporaryTestUser user("sm_test_104", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    AppInstallHelper app("sm_test_104", user.getUid());
+    app.createPrivateDir(0, AppInstallHelper::RootType::SKEL);
+
+    InstallRequest req;
+    req.setAppId(app.getAppId());
+    req.setPkgId(app.getPkgId());
+    req.setUid(app.getUID());
+    req.addPath(app.getPrivateDir(0, AppInstallHelper::RootType::SKEL), SECURITY_MANAGER_PATH_RW);
+    Api::install(req, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
+}
+
diff --git a/src/security-manager-tests/test_cases_prepare_app.cpp b/src/security-manager-tests/test_cases_prepare_app.cpp

index 9ddddf1..9ff9179 100644 (file)
--- a/src/security-manager-tests/test_cases_prepare_app.cpp
+++ b/src/security-manager-tests/test_cases_prepare_app.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -14,14 +14,18 @@
   *    limitations under the License.
   */
  
+#include <poll.h>
  #include <sys/smack.h>
  #include <sys/capability.h>
  #include <sys/prctl.h>
+#include <sys/eventfd.h>
  
+#include <cmath>
  #include <thread>
  #include <string>
  #include <memory>
  #include <mutex>
+#include <fstream>
  
  #include <dpl/test/test_runner_child.h>
  #include <dpl/test/test_runner.h>
@@ -41,6 +45,14 @@ const size_t THREADS = 10;
  
  const std::string APP_TEST_USER = "app_test_user";
  
+const std::string EXTERNAL_STORAGE_PRIVILEGE = "http://tizen.org/privilege/externalstorage";
+const std::string MEDIA_STORAGE_PRIVILEGE = "http://tizen.org/privilege/mediastorage";
+
+const std::string ACCESS_DENIED_DIR_PATH = "/usr/share/security-manager/dummy";
+const std::string EXTERNAL_STORAGE_DIR_PATH = "/opt/media";
+const std::string MEDIA_STORAGE_RW_DIR_PATH = "/opt/usr/media";
+const std::string MEDIA_STORAGE_RO_DIR_PATH = "/opt/usr/home/app_test_user/media";
+
  typedef std::unique_ptr<_cap_struct, decltype(&cap_free)> CapPtr;
  
  std::string thread_errors;
@@ -109,26 +121,32 @@ struct ThreadWrapper
      std::thread thread;
  };
  
-int setLauncherSecurityAttributes(TemporaryTestUser &user)
+ino_t getFileInode(const std::string &path)
+{
+    struct stat st;
+    if (stat(path.c_str(), &st) != 0)
+        return 0;
+
+    return st.st_ino;
+}
+
+std::string getTextFileContents(const std::string &path)
+{
+    std::ifstream in(path.c_str());
+    if (in.fail())
+        return std::string();
+    std::stringstream ss;
+    ss << in.rdbuf();
+    return ss.str();
+}
+
+bool isPathBound(const std::string &what, const std::string &where, pid_t pid = 1)
  {
-    // Add launcher capabilities (cap_dac_override, cap_setgid, cap_sys_admin, cap_mac_admin),
-    // launcher is user process, we must drop root privileges (cap_setgid, cap_setuid are needed).
-    // By default, the permitted capability set is cleared when credentials change is made
-    // (if a process drops a capability from its permitted set, it can never reacquire that capability),
-    // setting the "keep capabilities" flag prevents it from being cleared.
-    // Effective capability set is always cleared when credential change is made, we need to add them again.
-
-    setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep cap_setuid+ep");
-    int ret = prctl(PR_SET_KEEPCAPS, 1, 0, 0);
-    if (ret != 0)
-        return ret;
-
-    ret = drop_root_privileges(user.getUid(), user.getGid());
-    if (ret != 0)
-        return ret;
-
-    setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep");
-    return ret;
+    std::string mountinfoPath = std::string("/proc/") + std::to_string(pid) + "/mountinfo";
+    std::string mountinfo = getTextFileContents(mountinfoPath);
+    std::string line = what + " " + where;
+
+    return std::string::npos != mountinfo.find(line);
  }
  
  } // anonymous namespace
@@ -149,7 +167,7 @@ RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_test)
      if (pid == 0) {
          {
              RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
-
+            Api::prepareAppCandidate();
              ThreadWrapper threads[THREADS];
  
              for (size_t i = 0; i < THREADS; i++)
@@ -161,5 +179,387 @@ RUNNER_CHILD_TEST(security_manager_100_synchronize_credentials_test)
          exit(0);
      } else {
          waitPid(pid);
+        Api::cleanupApp(app.getAppId().c_str(), tmpUser.getUid(), pid);
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_101_create_namespace_test_n)
+{
+    TemporaryTestUser tmpUser(APP_TEST_USER, GUM_USERTYPE_NORMAL, false);
+    tmpUser.create();
+
+    AppInstallHelper app("app100_n", tmpUser.getUid());
+    ScopedInstaller appInstall(app);
+    const std::string expectedLabel = app.generateAppLabel();
+
+    pid_t pid = fork();
+    RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+    if (pid == 0) {
+        {
+            RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
+            ThreadWrapper threads[THREADS];
+
+            for (size_t i = 0; i < THREADS; i++)
+                threads[i].run(i, expectedLabel);
+
+            Api::prepareAppCandidate(SECURITY_MANAGER_ERROR_INPUT_PARAM);
+        }
+        RUNNER_ASSERT_MSG(!thread_errors.empty(), std::endl << thread_errors);
+        exit(0);
+    } else {
+        waitPid(pid);
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_101_create_namespace_test)
+{
+    TemporaryTestUser tmpUser(APP_TEST_USER, GUM_USERTYPE_NORMAL, false);
+    tmpUser.create();
+
+    AppInstallHelper app("app101", tmpUser.getUid());
+    ScopedInstaller appInstall(app);
+
+    SynchronizationPipe synchPipe;
+    pid_t pid = fork();
+    RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+    if (pid == 0) {
+        synchPipe.claimParentEp();
+        RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
+        Api::prepareAppCandidate();
+        Api::prepareApp(app.getAppId().c_str());
+        synchPipe.post();
+        synchPipe.wait();
+
+        exit(0);
+    } else {
+        synchPipe.claimChildEp();
+        synchPipe.wait();
+
+        std::string appBindPath = std::string("/var/run/user/") + std::to_string(tmpUser.getUid())
+                                  + "/apps/" + app.generateAppLabel() + "/" + std::to_string(pid);
+        std::string appProcPath = std::string("/proc/") + std::to_string(pid) + "/ns/mnt";
+        std::string launcherProcPath = std::string("/proc/") + std::to_string(getpid()) + "/ns/mnt";
+
+        ino_t appBindInode = getFileInode(appBindPath);
+        ino_t appProcInode = getFileInode(appProcPath);
+        ino_t launcherProcInode = getFileInode(launcherProcPath);
+
+        RUNNER_ASSERT_ERRNO_MSG(appBindInode != 0, "get inode failed");
+        RUNNER_ASSERT_ERRNO_MSG(appProcInode != 0, "get inode failed");
+        RUNNER_ASSERT_ERRNO_MSG(launcherProcInode != 0, "get inode failed");
+
+        RUNNER_ASSERT_ERRNO_MSG(launcherProcInode != appProcInode, "create mount namespace failed");
+        RUNNER_ASSERT_ERRNO_MSG(appBindInode == appProcInode, "bind namespace failed");
+
+        synchPipe.post();
+        waitPid(pid);
+        Api::cleanupApp(app.getAppId().c_str(), tmpUser.getUid(), pid);
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_102_check_propagation_test)
+{
+    TemporaryTestUser tmpUser(APP_TEST_USER, GUM_USERTYPE_NORMAL, false);
+    tmpUser.create();
+
+    AppInstallHelper app("app102", tmpUser.getUid());
+    ScopedInstaller appInstall(app);
+
+    SynchronizationPipe synchPipe;
+    pid_t pid = fork();
+    RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+    if (pid == 0) {
+        synchPipe.claimParentEp();
+        RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
+        Api::prepareAppCandidate();
+        Api::prepareApp(app.getAppId().c_str());
+        synchPipe.post();
+        synchPipe.wait();
+
+        exit(0);
+    } else {
+        synchPipe.claimChildEp();
+        synchPipe.wait();
+
+        bool result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH);
+        RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH);
+        RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH);
+        RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+
+        synchPipe.post();
+        waitPid(pid);
+        Api::cleanupApp(app.getAppId().c_str(), tmpUser.getUid(), pid);
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_103_policy_change_test)
+{
+    TemporaryTestUser tmpUser(APP_TEST_USER, GUM_USERTYPE_NORMAL, false);
+    tmpUser.create();
+
+    AppInstallHelper app("app103", tmpUser.getUid());
+    app.addPrivilege(EXTERNAL_STORAGE_PRIVILEGE);
+    app.addPrivilege(MEDIA_STORAGE_PRIVILEGE);
+    ScopedInstaller appInstall(app);
+
+    SynchronizationPipe synchPipe;
+    pid_t pid = fork();
+    RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+    if (pid == 0) {
+        synchPipe.claimParentEp();
+        RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
+        Api::prepareAppCandidate();
+        Api::prepareApp(app.getAppId().c_str());
+        synchPipe.post();
+        synchPipe.wait();
+
+        exit(0);
+    } else {
+        synchPipe.claimChildEp();
+        synchPipe.wait();
+
+        bool result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+
+        PolicyRequest policyRequest;
+        PolicyEntry policyEntry(app.getAppId(), std::to_string(tmpUser.getUid()), EXTERNAL_STORAGE_PRIVILEGE);
+        policyEntry.setLevel("Deny");
+        policyRequest.addEntry(policyEntry);
+
+        policyEntry = PolicyEntry(app.getAppId(), std::to_string(tmpUser.getUid()), MEDIA_STORAGE_PRIVILEGE);
+        policyEntry.setLevel("Deny");
+        policyRequest.addEntry(policyEntry);
+        Api::sendPolicy(policyRequest);
+
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound");
+
+        policyEntry = PolicyEntry(app.getAppId(),  std::to_string(tmpUser.getUid()), EXTERNAL_STORAGE_PRIVILEGE);
+        policyEntry.setLevel("Allow");
+        policyRequest.addEntry(policyEntry);
+
+        policyEntry = PolicyEntry(app.getAppId(),  std::to_string(tmpUser.getUid()), MEDIA_STORAGE_PRIVILEGE);
+        policyEntry.setLevel("Allow");
+        policyRequest.addEntry(policyEntry);
+        Api::sendPolicy(policyRequest);
+
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, EXTERNAL_STORAGE_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RW_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+        result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid);
+        RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound");
+
+        synchPipe.post();
+        waitPid(pid);
+        Api::cleanupApp(app.getAppId().c_str(), tmpUser.getUid(), pid);
+    }
+}
+
+namespace {
+class Timestamp {
+    uint64_t _;
+    explicit Timestamp(uint64_t ts) : _(ts) {}
+public:
+    Timestamp operator-(const Timestamp &other) const {
+        RUNNER_ASSERT(_ > other._);
+        return Timestamp(_ - other._);
+    }
+    Timestamp operator+(const Timestamp &other) const {
+        return Timestamp(_ + other._);
+    }
+    bool operator<(const Timestamp &other) const {
+        return _ < other._;
+    }
+    Timestamp() = default;
+    static Timestamp future(uint64_t ns) {
+        timespec ts;
+        const auto res = clock_gettime(CLOCK_MONOTONIC_RAW, &ts);
+        RUNNER_ASSERT_ERRNO(!res);
+        return Timestamp(ts.tv_sec * 1000000000ULL + ts.tv_nsec + ns);
+    }
+    static Timestamp now() {
+        return future(0);
+    }
+    template <size_t nLowDigitsToSkip = 3>
+    static void report(Timestamp *ts, size_t n) {
+        std::sort(ts, ts+n);
+        uint64_t sum = 0, mn = -1, mx = 0;
+        long double qsum = 0;
+        for (size_t i = 0; i < n; i++) {
+            const auto t = ts[i]._;
+            sum += t;
+            qsum += decltype(qsum)(t) * t;
+            mn = std::min(mn, t);
+            mx = std::max(mx, t);
+        }
+        uint64_t avg = sum / n;
+        auto qstddev = qsum/n - decltype(qsum)(avg)*avg;
+        const auto out = [](const char *desc, uint64_t t) {
+            char raw[20];
+        char s[20 + 20/3 + 1];
+        size_t j = 0, i = 0;
+        do
+            raw[j++] = '0' + t % 10ULL;
+        while (t /= 10ULL);
+        for (;;) {
+            s[i++] = raw[--j];
+            if (j <= nLowDigitsToSkip)
+                break;
+            if (!(j % 3))
+                s[i++] = ' ';
+        }
+        s[i] = '\0';
+        std::cerr << desc << s;
+    };
+    out("min ", mn);
+    out(" max ", mx);
+    out(" avg ", avg);
+    out(" median ", ts[n/2]._);
+    out(" stddev ", std::floor(std::sqrt(qstddev)));
+    std::cerr << '\n';
+    }
+};
+
+template <class T, size_t N>
+constexpr size_t arraySize(T (&)[N]) { return N; }
+} // namespace
+
+RUNNER_TEST(security_manager_200_prepare_app_perf)
+{
+    constexpr int8_t nThreads = 32;
+    constexpr int8_t nConcurrentAppsSamples[] = { 0 /* 1 app w/ nThreads */, 1, 2, 4, 8, 16, 32 };
+    constexpr uint64_t minTotalBenchTime = 60 * 1000ULL*1000*1000; // 60s
+
+    TemporaryTestUser tmpUser(APP_TEST_USER, GUM_USERTYPE_NORMAL, false);
+    tmpUser.create();
+
+    struct App {
+        AppInstallHelper hlp;
+        pid_t pid;
+    };
+
+    std::vector<Timestamp> candidate, prepare, everything;
+
+    std::vector<App> apps;
+    std::vector<ScopedInstaller> appInstalls;
+
+    constexpr auto nAppsMax = nConcurrentAppsSamples[arraySize(nConcurrentAppsSamples) - 1] ?: 1;
+    apps.reserve(nAppsMax);
+    appInstalls.reserve(nAppsMax);
+
+    const auto uid = tmpUser.getUid();
+    for (int i = 0; i < nAppsMax; i++) {
+        apps.emplace_back(App{AppInstallHelper("app200_" + std::to_string(i), uid), 0});
+        auto &hlp = apps.back().hlp;
+        for (const auto &p : { EXTERNAL_STORAGE_PRIVILEGE, MEDIA_STORAGE_PRIVILEGE,
+                std::string("http://tizen.org/privilege/camera"),
+                std::string("http://tizen.org/privilege/internet") })
+            hlp.addPrivilege(p);
+        hlp.createSharedRODir();
+        appInstalls.emplace_back(ScopedInstaller(hlp));
+    }
+
+    for (const auto nConcurrentAppsDesc : nConcurrentAppsSamples) {
+        const auto nConcurrentApps = nConcurrentAppsDesc ?: 1;
+        const auto timeout = Timestamp::future(minTotalBenchTime / arraySize(nConcurrentAppsSamples));
+        do {
+            SynchronizationPipe synchPipe;
+            auto exitEvFd = eventfd(0, 0);
+            RUNNER_ASSERT(exitEvFd >= 0);
+
+            for (int i = 0; i < nConcurrentApps; i++) {
+                auto &app = apps[i];
+                const auto pid = fork();
+                RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+                if (pid)
+                    app.pid = pid;
+                else {
+                    synchPipe.claimChildEp();
+                    RUNNER_ASSERT_ERRNO_MSG(setLauncherSecurityAttributes(tmpUser) == 0, "launcher failed");
+
+                    const auto appId = app.hlp.getAppId();
+
+                    synchPipe.post(); // declare readiness to start measuring
+                    synchPipe.pollForWait(); // wait for parent to signal all kids simultaneously
+
+                    const auto candBeg = Timestamp::now();
+                    Api::prepareAppCandidate();
+                    const auto candEnd = Timestamp::now();
+
+                    if (!nConcurrentAppsDesc) {
+                        for (int i = 0; i < nThreads; i++)
+                            std::thread([]{ for (;;) usleep(1000); }).detach();
+                    }
+
+                    const auto prepBeg = Timestamp::now();
+                    Api::prepareApp(appId);
+                    const auto prepEnd = Timestamp::now();
+
+                    const Timestamp ts[2] = { candEnd-candBeg, prepEnd-prepBeg };
+                    synchPipe.post(ts, sizeof ts); // post measurement payload
+
+                    // stay idle until all kids are done to simulate idle apps and reduce benchmark noise
+                    pollfd fds[1];
+                    fds->fd = exitEvFd;
+                    fds->events = POLLIN;
+                    auto ret = TEMP_FAILURE_RETRY(poll(fds, 1, -1));
+                    RUNNER_ASSERT_ERRNO(ret > 0);
+
+                    exit(0);
+                }
+            }
+            synchPipe.claimParentEp();
+
+            for (int i = 0; i < nConcurrentApps; i++) // wait for all kids to be ready to start measurement
+                synchPipe.wait();
+            synchPipe.post(); // signal all kids to start measuring
+
+            for (int i = 0; i < nConcurrentApps; i++) {
+                Timestamp ts[2];
+                synchPipe.wait(ts, sizeof ts);
+                candidate.emplace_back(ts[0]);
+                prepare.emplace_back(ts[1]);
+                everything.emplace_back(ts[0] + ts[1]);
+            }
+
+            RUNNER_ASSERT(!eventfd_write(exitEvFd, 1)); // signal all kids to exit now
+
+            for (int i = 0; i < nConcurrentApps; i++) {
+                const auto &app = apps[i];
+                waitPid(app.pid);
+                Api::cleanupApp(app.hlp.getAppId(), uid, app.pid);
+            }
+        } while (Timestamp::now() < timeout);
+
+        if (!nConcurrentAppsDesc)
+            std::cerr << "additionalThreads " << int(nThreads) << ' ';
+        std::cerr << "nConcurrentApps " << int(nConcurrentApps) << " samples " << candidate.size() << '\n';
+        std::cerr << "  prepareAppCandidate [us]:              ";
+        Timestamp::report(candidate.data(), candidate.size());
+        std::cerr << "  prepareApp [us]:                       ";
+        Timestamp::report(prepare.data(), prepare.size());
+        std::cerr << "  prepareAppCandidate + prepareApp [us]: ";
+        Timestamp::report(everything.data(), everything.size());
+        candidate.clear();
+        prepare.clear();
+        everything.clear();
      }
  }
diff --git a/src/security-manager-tests/test_cases_privacy_manager.cpp b/src/security-manager-tests/test_cases_privacy_manager.cpp

index d40e864..c354041 100644 (file)
--- a/src/security-manager-tests/test_cases_privacy_manager.cpp
+++ b/src/security-manager-tests/test_cases_privacy_manager.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2018 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -28,6 +28,7 @@
  #include <cynara_test_admin.h>
  #include <dpl/test/test_runner.h>
  #include <dpl/test/test_runner_child.h>
+#include <pkg_privacy_privileges.h>
  #include <policy_configuration.h>
  #include <scoped_installer.h>
  #include <sm_api.h>
@@ -78,18 +79,18 @@ const std::vector<Privileges> TEST_PRIVILEGES = {
      }
  };
  
-const std::vector<Privileges> TEST_PRIVACY_PRIVILEGES = {
+const PrivilegeVector TEST_PRIVACY_PRIVILEGES[] = {
      {
-        "http://tizen.org/privilege/telephony",
-        "http://tizen.org/privilege/led",
-        "http://tizen.org/privilege/callhistory.read", // privacy-related privileges start here
-        "http://tizen.org/privilege/account.read",
-        "http://tizen.org/privilege/healthinfo"
+        Privilege("http://tizen.org/privilege/telephony"),
+        Privilege("http://tizen.org/privilege/led"),
+        Privilege("http://tizen.org/privilege/callhistory.read", Privilege::PRIVACY),
+        Privilege("http://tizen.org/privilege/account.read", Privilege::PRIVACY),
+        Privilege("http://tizen.org/privilege/healthinfo", Privilege::PRIVACY),
      },
      {
-        "http://tizen.org/privilege/telephony",
-        "http://tizen.org/privilege/led",
-        "http://tizen.org/privilege/callhistory.read" // privacy-related privileges start here
+        Privilege("http://tizen.org/privilege/telephony"),
+        Privilege("http://tizen.org/privilege/led"),
+        Privilege("http://tizen.org/privilege/callhistory.read", Privilege::PRIVACY),
      }
  };
  
@@ -836,6 +837,7 @@ RUNNER_CHILD_TEST(security_manager_18_privacy_manager_privacy_related_privileges
      PolicyEntry filter (app.getAppId(), user.getUidString(), SECURITY_MANAGER_ANY);
      std::vector<PolicyEntry> policyEntries;
      {
+        PkgPrivacyPrivileges setupPrivacyPrivs(app);
          ScopedInstaller installer(app);
          unsigned int privacyNum = countPrivacyPrivileges(app.getPrivileges());
  
@@ -878,12 +880,14 @@ void test_privacy_related_privileges(bool isHybrid) {
      if (isHybrid)
          app1.setHybrid();
      app1.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
+    PkgPrivacyPrivileges setupPrivacyPrivs1(app1);
      ScopedInstaller installer1(app1);
  
      AppInstallHelper app2("sm_test_19_app_id_2", pkgId, user.getUid());
      if (isHybrid)
          app2.setHybrid();
      app2.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
+    PkgPrivacyPrivileges setupPrivacyPrivs2(app2);
      ScopedInstaller installer2(app2);
  
      int privacyCount1, privacyCount2;
@@ -941,6 +945,7 @@ RUNNER_CHILD_TEST(security_manager_20_privacy_manager_privacy_related_privileges
      AppInstallHelper app("sm_test_20", user.getUid());
      app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
  
+    PkgPrivacyPrivileges setupPrivacyPrivs(app);
      ScopedInstaller installer(app);
  
      CynaraTestAdmin::Admin admin;
@@ -960,3 +965,325 @@ RUNNER_CHILD_TEST(security_manager_20_privacy_manager_privacy_related_privileges
          }
      }
  }
+
+RUNNER_CHILD_TEST(security_manager_21_fetch_app_manifest_invalid_params)
+{
+    int ret = security_manager_get_app_manifest_policy(nullptr, 0, nullptr, nullptr);
+    RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_INPUT_PARAM, "Expected invalid input param, returned " << ret);
+}
+
+
+RUNNER_CHILD_TEST(security_manager_22_fetch_app_manifest_no_app)
+{
+    char **privileges;
+    size_t nPrivs = 0;
+    int ret = security_manager_get_app_manifest_policy("not_existing_app_id", 0, &privileges, &nPrivs);
+    RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, "Expected no such object error, returned " << ret);
+}
+
+RUNNER_CHILD_TEST(security_manager_23_fetch_app_manifest_invalid_user)
+{
+    TemporaryTestUser user("sm_test_23_fetch_username", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    AppInstallHelper app("security_manager_23_fetch", user.getUid());
+    app.setInstallType(SM_APP_INSTALL_LOCAL);
+    app.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
+    ScopedInstaller appInstall(app);
+
+    char **privileges;
+    size_t nPrivs = 0;
+    int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
+    // Should security-manager check if user exists?
+    RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+    RUNNER_ASSERT_MSG(nPrivs == 0, "Expected empty set of privileges, returned " << nPrivs);
+}
+
+static void check_privileges_from_manifest(const AppInstallHelper &aih, char **privileges, size_t nPrivs)
+{
+    std::vector<std::string> aihPrivs = aih.getPrivilegesNames();
+    RUNNER_ASSERT_MSG(nPrivs == aihPrivs.size(), "Expected privileges number: " << aihPrivs.size() << ", got " << nPrivs);
+    for (size_t i = 0; i < nPrivs; ++i) {
+        RUNNER_ASSERT_MSG(std::find(aihPrivs.begin(), aihPrivs.end(), std::string(privileges[i])) != aihPrivs.end(),
+                          "Privilege " << privileges[i] << " not found");
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_24_fetch_app_manifest_global_app)
+{
+    TemporaryTestUser user("sm_test_24_fetch_username", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    AppInstallHelper app("security_manager_24_fetch");
+    app.setInstallType(SM_APP_INSTALL_GLOBAL);
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    ScopedInstaller appInstall(app);
+
+    char **privileges;
+    size_t nPrivs = 0;
+
+    int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
+    RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+    check_privileges_from_manifest(app, privileges, nPrivs);
+    security_manager_privileges_free(privileges, nPrivs);
+
+    // since app is installed globally, also for our temporary user the returned list should be the same
+    nPrivs = 0;
+    ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
+    RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+    check_privileges_from_manifest(app, privileges, nPrivs);
+    security_manager_privileges_free(privileges, nPrivs);
+}
+
+RUNNER_CHILD_TEST(security_manager_25_fetch_app_manifest_local_app)
+{
+    TemporaryTestUser user("sm_test_25_fetch_username", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    AppInstallHelper app("security_manager_25_fetch", user.getUid());
+    app.setInstallType(SM_APP_INSTALL_LOCAL);
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    ScopedInstaller appInstall(app);
+
+    char **privileges;
+    size_t nPrivs = 0;
+
+    int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
+    RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+    check_privileges_from_manifest(app, privileges, nPrivs);
+    security_manager_privileges_free(privileges, nPrivs);
+
+    // since app is installed locally, if we ask for other user (ie. root), we should get empty list of privileges
+    nPrivs = 0;
+    ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
+    RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+    RUNNER_ASSERT_MSG(nPrivs == 0, "Expected empty set of privileges, returned " << nPrivs);
+}
+
+RUNNER_CHILD_TEST(security_manager_26_fetch_app_manifest_both_apps)
+{
+    TemporaryTestUser user("sm_test_26_fetch_username", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    AppInstallHelper appGlobal("security_manager_26_fetch");
+    appGlobal.setInstallType(SM_APP_INSTALL_GLOBAL);
+    appGlobal.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    appGlobal.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    appGlobal.addPrivilege(std::string("http://tizen.org/privielge/contacts.read"));
+    ScopedInstaller appGlobalInstall(appGlobal);
+
+    AppInstallHelper appLocal("security_manager_26_fetch", user.getUid());
+    appLocal.setInstallType(SM_APP_INSTALL_LOCAL);
+    appLocal.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    appLocal.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    ScopedInstaller appLocalInstall(appLocal);
+
+
+    char **privileges;
+    size_t nPrivs = 0;
+
+    int ret = security_manager_get_app_manifest_policy(appLocal.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
+    RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+    check_privileges_from_manifest(appLocal, privileges, nPrivs);
+    security_manager_privileges_free(privileges, nPrivs);
+
+    nPrivs = 0;
+    ret = security_manager_get_app_manifest_policy(appGlobal.getAppId().c_str(), 0, &privileges, &nPrivs);
+    RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected succes, returned " << ret);
+    check_privileges_from_manifest(appGlobal, privileges, nPrivs);
+    security_manager_privileges_free(privileges, nPrivs);
+}
+
+RUNNER_CHILD_TEST(security_manager_27_fetch_app_manifest_app_context_local_positive)
+{
+    TemporaryTestUser user("sm_test_27_fetch_username", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    AppInstallHelper app("security_manager_27_fetch", user.getUid());
+    app.setInstallType(SM_APP_INSTALL_LOCAL);
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    ScopedInstaller appInstall(app);
+
+    pid_t pid = fork();
+    RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
+    if (pid != 0) { //parent process
+        waitPid(pid);
+    } else { //child process
+        Api::setProcessLabel(app.getAppId());
+        RUNNER_ASSERT_ERRNO_MSG(
+                drop_root_privileges(user.getUid(), user.getGid()) == 0,
+                "drop_root_privileges failed");
+        char **privileges;
+        size_t nPrivs = 0;
+        int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
+        RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+        check_privileges_from_manifest(app, privileges, nPrivs);
+        security_manager_privileges_free(privileges, nPrivs);
+        exit(0);
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_28_fetch_app_manifest_app_context_global_positive)
+{
+    TemporaryTestUser user("sm_test_28_fetch_username", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    AppInstallHelper app("security_manager_28_fetch");
+    app.setInstallType(SM_APP_INSTALL_GLOBAL);
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    ScopedInstaller appInstall(app);
+
+    pid_t pid = fork();
+    RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
+    if (pid != 0) { //parent process
+        waitPid(pid);
+    } else { //child process
+        Api::setProcessLabel(app.getAppId());
+        RUNNER_ASSERT_ERRNO_MSG(
+                drop_root_privileges(user.getUid(), user.getGid()) == 0,
+                "drop_root_privileges failed");
+        char **privileges;
+        size_t nPrivs = 0;
+        int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
+        RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+        check_privileges_from_manifest(app, privileges, nPrivs);
+        security_manager_privileges_free(privileges, nPrivs);
+        exit(0);
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_29_fetch_app_manifest_app_context_local_different_uid)
+{
+    TemporaryTestUser user("sm_test_29_fetch_username", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    TemporaryTestUser user1("sm_test_29_fetch_username_1", GUM_USERTYPE_NORMAL);
+    user1.create();
+
+    AppInstallHelper app("security_manager_29_fetch", user.getUid());
+    app.setInstallType(SM_APP_INSTALL_LOCAL);
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    ScopedInstaller appInstall(app);
+
+    AppInstallHelper app1("security_manager_29_fetch", user1.getUid());
+    app1.setInstallType(SM_APP_INSTALL_LOCAL);
+    app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    app1.addPrivilege(std::string("http://tizen.org/privilege/contacts.read"));
+    ScopedInstaller appInstall1(app1);
+
+
+    pid_t pid = fork();
+    RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
+    if (pid != 0) { //parent process
+        waitPid(pid);
+    } else { //child process
+        Api::setProcessLabel(app1.getAppId());
+        RUNNER_ASSERT_ERRNO_MSG(
+                drop_root_privileges(user1.getUid(), user1.getGid()) == 0,
+                "drop_root_privileges failed");
+        char **privileges;
+        size_t nPrivs = 0;
+        int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
+        RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, "Expected auth failed, returned " << ret);
+
+        nPrivs = 0;
+        ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user1.getUid(), &privileges, &nPrivs);
+        RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+        check_privileges_from_manifest(app1, privileges, nPrivs);
+        security_manager_privileges_free(privileges, nPrivs);
+        exit(0);
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_30_fetch_app_manifest_app_context_local_different_label)
+{
+    TemporaryTestUser user("sm_test_30_fetch_username", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    AppInstallHelper app("security_manager_30_fetch", user.getUid());
+    app.setInstallType(SM_APP_INSTALL_LOCAL);
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    ScopedInstaller appInstall(app);
+
+    AppInstallHelper app1("security_manager_30_fetch_1", user.getUid());
+    app1.setInstallType(SM_APP_INSTALL_LOCAL);
+    app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    app1.addPrivilege(std::string("http://tizen.org/privilege/contacts.read"));
+    ScopedInstaller appInstall1(app1);
+
+
+    pid_t pid = fork();
+    RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
+    if (pid != 0) { //parent process
+        waitPid(pid);
+    } else { //child process
+        Api::setProcessLabel(app1.getAppId());
+        RUNNER_ASSERT_ERRNO_MSG(
+                drop_root_privileges(user.getUid(), user.getGid()) == 0,
+                "drop_root_privileges failed");
+        char **privileges;
+        size_t nPrivs = 0;
+        int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
+        RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, "Expected auth failed, returned " << ret);
+
+        nPrivs = 0;
+        ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
+        RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+        check_privileges_from_manifest(app1, privileges, nPrivs);
+        security_manager_privileges_free(privileges, nPrivs);
+        exit(0);
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_31_fetch_app_manifest_app_context_local_different_label_with_privilege)
+{
+    TemporaryTestUser user("sm_test_31_fetch_username", GUM_USERTYPE_ADMIN);
+    user.create();
+
+    AppInstallHelper app("security_manager_31_fetch", user.getUid());
+    app.setInstallType(SM_APP_INSTALL_LOCAL);
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    ScopedInstaller appInstall(app);
+
+    AppInstallHelper app1("security_manager_31_fetch_1", user.getUid());
+    app1.setInstallType(SM_APP_INSTALL_LOCAL);
+    app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
+    app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
+    app1.addPrivilege(std::string("http://tizen.org/privilege/contacts.read"));
+    app1.addPrivilege(std::string("http://tizen.org/privilege/internal/usermanagement"));
+    ScopedInstaller appInstall1(app1);
+
+
+    pid_t pid = fork();
+    RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
+    if (pid != 0) { //parent process
+        waitPid(pid);
+    } else { //child process
+        Api::setProcessLabel(app1.getAppId());
+        RUNNER_ASSERT_ERRNO_MSG(
+                drop_root_privileges(user.getUid(), user.getGid()) == 0,
+                "drop_root_privileges failed");
+        char **privileges;
+        size_t nPrivs = 0;
+        int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
+        RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+        check_privileges_from_manifest(app, privileges, nPrivs);
+        security_manager_privileges_free(privileges, nPrivs);
+
+        nPrivs = 0;
+        ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
+        RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
+        check_privileges_from_manifest(app1, privileges, nPrivs);
+        security_manager_privileges_free(privileges, nPrivs);
+        exit(0);
+    }
+}
diff --git a/src/security-manager-tests/test_cases_private_sharing.cpp b/src/security-manager-tests/test_cases_private_sharing.cpp

index 4e02d19..4f99eba 100644 (file)
--- a/src/security-manager-tests/test_cases_private_sharing.cpp
+++ b/src/security-manager-tests/test_cases_private_sharing.cpp
@@ -37,7 +37,7 @@
  
  using namespace SecurityManagerTest;
  
-RUNNER_TEST_GROUP_INIT(SECURIT_MANAGER_PRIVATE_SHARING)
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVATE_SHARING)
  
  /*
   * Check if request is rejected when incomplete
diff --git a/src/security-manager-tests/test_cases_public_sharing.cpp b/src/security-manager-tests/test_cases_public_sharing.cpp

index 05d9e82..b71ad04 100644 (file)
--- a/src/security-manager-tests/test_cases_public_sharing.cpp
+++ b/src/security-manager-tests/test_cases_public_sharing.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -15,6 +15,7 @@
   */
  #include <cstdint>
  #include <fcntl.h>
+#include <functional>
  #include <unordered_map>
  #include <string>
  #include <sys/smack.h>
@@ -32,6 +33,7 @@ using namespace SecurityManagerTest;
  namespace {
  
  const uid_t OWNER_UID = 5001;
+const uid_t OWNER_GID = 100;
  
  const std::vector<std::string> versions = {
          "2.4",
@@ -54,6 +56,25 @@ const VersionCombinations versionCombinations = makeVersionCombinations(versions
  
  RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_SHARED_RO)
  
+static void runAccessTest(uid_t uid, gid_t gid, const std::string &appId,
+                          std::function<void(void)> f)
+{
+    pid_t pid = fork();
+
+    RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+    if (pid == 0) {
+        setLauncherSecurityAttributes(uid, gid);
+        Api::prepareAppCandidate();
+        Api::prepareApp(appId.c_str());
+        f();
+        exit(0);
+    } else {
+
+        waitPid(pid);
+        Api::cleanupApp(appId.c_str(), uid, pid);
+    }
+}
+
  /**
   * Check whether owner app have access to own sharedRO dir
   */
@@ -64,10 +85,29 @@ RUNNER_CHILD_TEST(security_manager_76_owner_access)
          app.createSharedRODir();
          ScopedInstaller sharedROPkgApp(app);
  
-        runAccessTest(app, app.getSharedRODir(), R_OK|W_OK|X_OK);
+        runAccessTest(OWNER_UID, OWNER_GID, app.getAppId(), [&]() {
+            accessTest(app.getAppId(), app.getSharedRODir(), R_OK|W_OK|X_OK);
+        });
      }
  }
  
+RUNNER_CHILD_TEST(security_manager_7x_test)
+{
+    AppInstallHelper ownerApp("owner_7x", OWNER_UID);
+    ownerApp.createSharedRODir();
+    ScopedInstaller ownerAppInstall(ownerApp);
+
+    AppInstallHelper otherApp("other_7x", OWNER_UID);
+    otherApp.createSharedRODir();
+    ScopedInstaller otherAppInstall(otherApp);
+
+    runAccessTest(OWNER_UID, OWNER_GID, ownerApp.getAppId(), [&]() {
+        accessTest(ownerApp.getAppId(), ownerApp.getSharedRODir(), R_OK | W_OK | X_OK);
+        accessTest(ownerApp.getAppId(), otherApp.getSharedRODir(), R_OK | X_OK);
+        exit(0);
+    });
+}
+
  /**
   * Check whether app without shared RO path has access to shared RO dir and
   * no access to private directories of application from different package between
@@ -84,9 +124,14 @@ RUNNER_CHILD_TEST(security_manager_77_owner_other_access_version_combinations)
          AppInstallHelper nonSharedApp("sm_test_77_nonshared", OWNER_UID, version.second);
          ScopedInstaller nonSharedAppInstall(nonSharedApp);
  
-        runAccessTest(sharedApp, sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
-        runAccessTest(nonSharedApp, sharedApp.getPrivateDir(), 0);
-        runAccessTest(nonSharedApp, sharedApp.getSharedRODir(), R_OK|X_OK);
+        runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() {
+            accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
+        });
+
+        runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
+            accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0);
+            accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
+        });
      }
  }
  
@@ -108,12 +153,17 @@ RUNNER_CHILD_TEST(security_manager_78_another_pkg_shared_ro_have_ro_access_to_sh
          sharedApp2.createPrivateDir();
          ScopedInstaller sharedApp2Install(sharedApp2);
  
-        runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), R_OK|X_OK);
-        runAccessTest(sharedApp1, sharedApp2.getSharedRODir(), R_OK|X_OK);
-        runAccessTest(sharedApp1, sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK);
-        runAccessTest(sharedApp2, sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
-        runAccessTest(sharedApp2, sharedApp1.getPrivateDir(), 0);
-        runAccessTest(sharedApp1, sharedApp2.getPrivateDir(), 0);
+        runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
+            accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
+            accessTest(sharedApp1.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK);
+            accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(), 0);
+        });
+
+        runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
+            accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|X_OK);
+            accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
+            accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(), 0);
+        });
      }
  }
  
@@ -134,9 +184,13 @@ RUNNER_CHILD_TEST(security_manager_79a_same_pkg_shared_ro_have_ro_access_to_shar
          sharedApp2.createSharedRODir();
          ScopedInstaller sharedAppInstall2(sharedApp2);
  
-        runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK);
-        runAccessTest(sharedApp1, sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
-    };
+        runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
+            accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
+        });
+        runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
+            accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK);
+        });
+    }
  }
  
  /**
@@ -155,7 +209,9 @@ RUNNER_CHILD_TEST(security_manager_79b_same_pkg_shared_ro_have_ro_access_to_shar
          AppInstallHelper nonSharedApp("sm_test_79b_shared2", sharedPkgName, OWNER_UID, version);
          ScopedInstaller nonSharedAppInstall(nonSharedApp);
  
-        runAccessTest(nonSharedApp, sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
+        runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
+            accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
+        });
      };
  }
  
@@ -181,14 +237,23 @@ RUNNER_CHILD_TEST(security_manager_80_same_pkg_shared_ro_have_no_access_to_share
          AppInstallHelper nonSharedApp("sm_test_80_nonshared", sharedPkgName, OWNER_UID, version);
          ScopedInstaller nonSharedAppInstall(nonSharedApp);
  
-        runAccessTest(sharedApp2, sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK);
-        runAccessTest(sharedApp1, sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
-        runAccessTest(nonSharedApp, sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK);
-        runAccessTest(nonSharedApp, sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
+        runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
+            accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
+        });
+        runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
+            accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK);
+        });
+
+        runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
+            accessTest(nonSharedApp.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK);
+            accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
+        });
  
          sharedAppInstall1.uninstallApp();
  
-        runAccessTest(nonSharedApp, sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
+        runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
+            accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
+        });
      }
  }
  
@@ -218,16 +283,22 @@ RUNNER_CHILD_TEST(security_manager_81_add_path_to_app_and_check_all)
          sharedRORequest.setUid(sharedApp2.getUID());
          Api::registerPaths(sharedRORequest);
  
-        runAccessTest(sharedApp, sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
-        runAccessTest(sharedApp, sharedApp.getPrivateDir(), R_OK|W_OK|X_OK);
-
-        runAccessTest(sharedApp2, sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
-        runAccessTest(sharedApp2, sharedApp.getSharedRODir(), R_OK|X_OK);
-        runAccessTest(sharedApp2, sharedApp.getPrivateDir(), 0);
-
-        runAccessTest(nonSharedApp, sharedApp.getSharedRODir(), R_OK|X_OK);
-        runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(), R_OK|X_OK);
-        runAccessTest(nonSharedApp, sharedApp.getPrivateDir(), 0);
+        runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() {
+            accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
+            accessTest(sharedApp.getAppId(), sharedApp.getPrivateDir(), R_OK|W_OK|X_OK);
+        });
+
+        runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
+            accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
+            accessTest(sharedApp2.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
+            accessTest(sharedApp2.getAppId(), sharedApp.getPrivateDir(), 0);
+        });
+
+        runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
+            accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
+            accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
+            accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0);
+        });
      }
  }
  
@@ -248,7 +319,7 @@ RUNNER_CHILD_TEST(security_manager_82_add_invalid_path_to_app_and_check_all)
          sharedRORequest.setPkgId(nonSharedApp.getPkgId());
          sharedRORequest.addPath(sharedApp.getSharedRODir(), SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
          sharedRORequest.setUid(nonSharedApp.getUID());
-        Api::registerPaths(sharedRORequest, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+        Api::registerPaths(sharedRORequest, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
      }
  }
  
@@ -270,12 +341,17 @@ RUNNER_CHILD_TEST(security_manager_83_install_uninstall_shared_ro_app_and_check_
          ScopedInstaller nonSharedAppInstall(nonSharedApp);
  
          sharedAppInstall1.uninstallApp();
+        sharedApp1.removePaths();
  
-        runAccessTest(nonSharedApp, sharedApp1.getSharedRODir(), 0);
-        runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), 0);
+        runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
+            accessTest(nonSharedApp.getAppId(), sharedApp1.getSharedRODir(), 0);
+            accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
+        });
  
-        runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(), R_OK|X_OK);
-        runAccessTest(sharedApp2, sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
+        runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
+            accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), 0);
+            accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
+        });
      }
  }
  
@@ -302,7 +378,12 @@ RUNNER_CHILD_TEST(security_manager_84_install_uninstall_shared_ro_two_apps_in_on
  
          sharedAppInstall1.uninstallApp();
  
-        runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(2), R_OK|X_OK);
-        runAccessTest(sharedApp2, sharedApp2.getSharedRODir(2), R_OK|W_OK|X_OK);
+        runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
+            accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(2), R_OK|X_OK);
+        });
+
+        runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
+            accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(2), R_OK|W_OK|X_OK);
+        });
      }
  }
diff --git a/src/security-manager-tests/test_cases_register_paths.cpp b/src/security-manager-tests/test_cases_register_paths.cpp

index 88e0896..26970c0 100644 (file)
--- a/src/security-manager-tests/test_cases_register_paths.cpp
+++ b/src/security-manager-tests/test_cases_register_paths.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 2016-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2019 Samsung Electronics Co., Ltd All Rights Reserved
   *
   *    Licensed under the Apache License, Version 2.0 (the "License");
   *    you may not use this file except in compliance with the License.
@@ -85,7 +85,8 @@ RUNNER_TEST(security_manager_57_path_req_wrong_uid)
      preq.setInstallType(SM_APP_INSTALL_LOCAL);
      preq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
  
-    Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
+    // Not sure why this shouldn't be invalid param
+    Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_UNKNOWN);
  }
  
  RUNNER_TEST(security_manager_58_path_req_empty_paths)
@@ -117,6 +118,27 @@ RUNNER_TEST(security_manager_59_path_req_as_root_positive)
      Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
  }
  
+RUNNER_TEST(security_manager_59a_path_req_as_root_positive_realpath_check)
+{
+    TemporaryTestUser user("sm_test_59a_user_name", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    AppInstallHelper app("sm_test_59a", user.getUid());
+    ScopedInstaller appInstall(app);
+
+    app.createPrivateDir();
+    PathsRequest preq;
+    preq.setPkgId(app.getPkgId());
+    preq.setUid(user.getUid());
+    std::string privPath = "/opt/.././" + app.getPrivateDir();
+    size_t pos = privPath.find_last_of("/");
+    std::string lastElem = privPath.substr(pos + 1);
+
+    preq.addPath(privPath + "/../" + lastElem, SECURITY_MANAGER_PATH_RW);
+
+    Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
+}
+
  RUNNER_CHILD_TEST(security_manager_60_path_req_as_user_positive)
  {
      TemporaryTestUser user("sm_test_60_user_name", GUM_USERTYPE_NORMAL, false);
@@ -136,6 +158,30 @@ RUNNER_CHILD_TEST(security_manager_60_path_req_as_user_positive)
      Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
  }
  
+RUNNER_CHILD_TEST(security_manager_60a_path_req_as_user_positive_realpath_check)
+{
+    TemporaryTestUser user("sm_test_60a_user_name", GUM_USERTYPE_NORMAL);
+    user.create();
+
+    AppInstallHelper app("sm_test_60a", user.getUid());
+    ScopedInstaller appInstall(app);
+
+    RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
+                            "drop_root_privileges failed");
+
+    app.createPrivateDir();
+    PathsRequest preq;
+    preq.setPkgId(app.getPkgId());
+    preq.setUid(user.getUid());
+    std::string privPath = "/opt/.././" + app.getPrivateDir();
+    size_t pos = privPath.find_last_of("/");
+    std::string lastElem = privPath.substr(pos + 1);
+
+    preq.addPath(privPath + "/../" + lastElem, SECURITY_MANAGER_PATH_RW);
+
+    Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
+}
+
  RUNNER_CHILD_TEST(security_manager_61_path_req_different_user)
  {
      TemporaryTestUser user1("sm_test_61_1_user_name", GUM_USERTYPE_NORMAL, false);
@@ -172,7 +218,7 @@ static void checkOutsidePath(const std::string& pkgId, uid_t uid, const std::str
      preq.setUid(uid);
      preq.addPath(path, SECURITY_MANAGER_PATH_RW);
  
-    Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+    Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
  }
  
  RUNNER_TEST(security_manager_62_path_req_path_outside)
@@ -212,7 +258,7 @@ RUNNER_CHILD_TEST(security_manager_63a_path_req_as_user)
      preq.setInstallType(SM_APP_INSTALL_GLOBAL);
      preq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
  
-    Api::registerPaths(preq, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+    Api::registerPaths(preq, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
  }
  
  RUNNER_CHILD_TEST(security_manager_63b_path_req_preloaded_as_user)
@@ -234,7 +280,7 @@ RUNNER_CHILD_TEST(security_manager_63b_path_req_preloaded_as_user)
      preq.setInstallType(SM_APP_INSTALL_PRELOADED);
      preq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
  
-    Api::registerPaths(preq, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+    Api::registerPaths(preq, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
  }
  
  RUNNER_TEST(security_manager_64a_path_req_as_local_as_root)
@@ -301,7 +347,7 @@ RUNNER_TEST(security_manager_66_path_req_check_labels)
      check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
      check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
      check_path(app.getPublicDir(), getPublicPathLabel());
-    check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId()));
+    check_path(app.getSharedRODir(), getSharedROPathLabel());
  }
  
  RUNNER_TEST(security_manager_67_path_req_shared_ro_3_0)
@@ -321,7 +367,7 @@ RUNNER_TEST(security_manager_67_path_req_shared_ro_3_0)
      preq.addPath(app.getSharedRODir(), SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
  
      Api::registerPaths(preq);
-    check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId()));
+    check_path(app.getSharedRODir(), getSharedROPathLabel());
  }
  
  RUNNER_TEST(security_manager_68_path_req_shared_ro_2_X)
@@ -341,7 +387,7 @@ RUNNER_TEST(security_manager_68_path_req_shared_ro_2_X)
      preq.addPath(app.getSharedRODir(), SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
  
      Api::registerPaths(preq);
-    check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId()));
+    check_path(app.getSharedRODir(), getSharedROPathLabel());
  }
  
  RUNNER_TEST(security_manager_69_path_req_trusted_rw_no_author)
diff --git a/src/security-tests-all.sh b/src/security-tests-all.sh

index a4fc738..3584e95 100644 (file)
--- a/src/security-tests-all.sh
+++ b/src/security-tests-all.sh
@@ -28,7 +28,7 @@ function runTest
  {
      # 'text' - console output
      # 'summary' - used for summary view
-    security-tests.sh "$1" --output=text --output=summary "$ign"
+    security-tests.sh "$1" --output=text --output=summary $ign
      addSummary
  }
  
diff --git a/src/security-tests.sh b/src/security-tests.sh

index 6490ac6..1cf60b6 100644 (file)
--- a/src/security-tests.sh
+++ b/src/security-tests.sh
@@ -1,7 +1,7 @@
  #!/bin/sh
  
  #####################################################################
-# Copyright (c) 2012-2018 Samsung Electronics Co., Ltd All Rights Reserved
+# Copyright (c) 2012 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
  #
  #    Licensed under the Apache License, Version 2.0 (the "License");
  #    you may not use this file except in compliance with the License.
@@ -44,12 +44,11 @@ case $1 in
      echo "========================================================================="
      echo "KEY MANAGER UNPRIVILEGED TESTS"
      echo
-    ARGS="${@:2}"
-    su - owner -c "ckm-tests $ARGS"
+    su - owner -c "ckm-tests ${@:2}"
      echo "========================================================================="
      echo "KEY MANAGER PRIVILEGED TESTS"
      echo
-    ckm-tests-on-onlycap.sh $ARGS
+    ckm-privileged-tests "${@:2}"
      ;;
  "yaca")
      echo "========================================================================="
diff --git a/src/yaca/test-vectors/sign_param_comb.txt b/src/yaca/test-vectors/sign_param_comb.txt

new file mode 100644 (file)

index 0000000..3dda1bb
--- /dev/null
+++ b/src/yaca/test-vectors/sign_param_comb.txt
@@ -0,0 +1,415 @@
+# YACA_KEY_LENGTH_EC_PRIME192V1 - 805306560
+# YACA_KEY_LENGTH_EC_PRIME256V1 - 805306624
+# YACA_KEY_LENGTH_EC_SECP256K1  - 824180992
+# YACA_KEY_LENGTH_EC_SECP384R1  - 823132544
+# YACA_KEY_LENGTH_EC_SECP521R1  - 823132681
+
+key_type=EC_PRIV
+key_len_bits=805306560
+padding=
+algo=SHA1
+
+key_type=EC_PRIV
+key_len_bits=805306560
+padding=
+algo=SHA224
+
+key_type=EC_PRIV
+key_len_bits=805306560
+padding=
+algo=SHA256
+
+key_type=EC_PRIV
+key_len_bits=805306560
+padding=
+algo=SHA384
+
+key_type=EC_PRIV
+key_len_bits=805306560
+padding=
+algo=SHA512
+
+key_type=EC_PRIV
+key_len_bits=805306624
+padding=
+algo=SHA1
+
+key_type=EC_PRIV
+key_len_bits=805306624
+padding=
+algo=SHA224
+
+key_type=EC_PRIV
+key_len_bits=805306624
+padding=
+algo=SHA256
+
+key_type=EC_PRIV
+key_len_bits=805306624
+padding=
+algo=SHA384
+
+key_type=EC_PRIV
+key_len_bits=805306624
+padding=
+algo=SHA512
+
+key_type=EC_PRIV
+key_len_bits=824180992
+padding=
+algo=SHA1
+
+key_type=EC_PRIV
+key_len_bits=824180992
+padding=
+algo=SHA224
+
+key_type=EC_PRIV
+key_len_bits=824180992
+padding=
+algo=SHA256
+
+key_type=EC_PRIV
+key_len_bits=824180992
+padding=
+algo=SHA384
+
+key_type=EC_PRIV
+key_len_bits=824180992
+padding=
+algo=SHA512
+
+key_type=EC_PRIV
+key_len_bits=823132544
+padding=
+algo=SHA1
+
+key_type=EC_PRIV
+key_len_bits=823132544
+padding=
+algo=SHA224
+
+key_type=EC_PRIV
+key_len_bits=823132544
+padding=
+algo=SHA256
+
+key_type=EC_PRIV
+key_len_bits=823132544
+padding=
+algo=SHA384
+
+key_type=EC_PRIV
+key_len_bits=823132544
+padding=
+algo=SHA512
+
+key_type=EC_PRIV
+key_len_bits=823132681
+padding=
+algo=SHA1
+
+key_type=EC_PRIV
+key_len_bits=823132681
+padding=
+algo=SHA224
+
+key_type=EC_PRIV
+key_len_bits=823132681
+padding=
+algo=SHA256
+
+key_type=EC_PRIV
+key_len_bits=823132681
+padding=
+algo=SHA384
+
+key_type=EC_PRIV
+key_len_bits=823132681
+padding=
+algo=SHA512
+
+key_type=DSA_PRIV
+key_len_bits=512
+padding=
+algo=SHA1
+
+key_type=DSA_PRIV
+key_len_bits=512
+padding=
+algo=SHA224
+
+key_type=DSA_PRIV
+key_len_bits=512
+padding=
+algo=SHA256
+
+key_type=DSA_PRIV
+key_len_bits=512
+padding=
+algo=SHA384
+
+key_type=DSA_PRIV
+key_len_bits=512
+padding=
+algo=SHA512
+
+key_type=DSA_PRIV
+key_len_bits=1024
+padding=
+algo=SHA1
+
+key_type=DSA_PRIV
+key_len_bits=1024
+padding=
+algo=SHA224
+
+key_type=DSA_PRIV
+key_len_bits=1024
+padding=
+algo=SHA256
+
+key_type=DSA_PRIV
+key_len_bits=1024
+padding=
+algo=SHA384
+
+key_type=DSA_PRIV
+key_len_bits=1024
+padding=
+algo=SHA512
+
+key_type=DSA_PRIV
+key_len_bits=2048
+padding=
+algo=SHA1
+
+key_type=DSA_PRIV
+key_len_bits=2048
+padding=
+algo=SHA224
+
+key_type=DSA_PRIV
+key_len_bits=2048
+padding=
+algo=SHA256
+
+key_type=DSA_PRIV
+key_len_bits=2048
+padding=
+algo=SHA384
+
+key_type=DSA_PRIV
+key_len_bits=2048
+padding=
+algo=SHA512
+
+key_type=RSA_PRIV
+key_len_bits=512
+padding=PKCS1
+algo=MD5
+
+key_type=RSA_PRIV
+key_len_bits=512
+padding=PKCS1
+algo=SHA1
+
+key_type=RSA_PRIV
+key_len_bits=512
+padding=PKCS1
+algo=SHA224
+
+key_type=RSA_PRIV
+key_len_bits=512
+padding=PKCS1
+algo=SHA256
+
+key_type=RSA_PRIV
+key_len_bits=512
+padding=PKCS1_PSS
+algo=MD5
+
+key_type=RSA_PRIV
+key_len_bits=512
+padding=PKCS1_PSS
+algo=SHA1
+
+key_type=RSA_PRIV
+key_len_bits=512
+padding=PKCS1_PSS
+algo=SHA224
+
+key_type=RSA_PRIV
+key_len_bits=512
+padding=PKCS1_PSS
+algo=SHA256
+
+key_type=RSA_PRIV
+key_len_bits=512
+padding=X931
+algo=SHA1
+
+key_type=RSA_PRIV
+key_len_bits=512
+padding=X931
+algo=SHA256
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1
+algo=MD5
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1
+algo=SHA1
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1
+algo=SHA224
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1
+algo=SHA256
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1
+algo=SHA384
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1
+algo=SHA512
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1_PSS
+algo=MD5
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1_PSS
+algo=SHA1
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1_PSS
+algo=SHA224
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1_PSS
+algo=SHA256
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1_PSS
+algo=SHA384
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=PKCS1_PSS
+algo=SHA512
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=X931
+algo=SHA1
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=X931
+algo=SHA256
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=X931
+algo=SHA384
+
+key_type=RSA_PRIV
+key_len_bits=1024
+padding=X931
+algo=SHA512
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1
+algo=MD5
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1
+algo=SHA1
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1
+algo=SHA224
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1
+algo=SHA256
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1
+algo=SHA384
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1
+algo=SHA512
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1_PSS
+algo=MD5
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1_PSS
+algo=SHA1
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1_PSS
+algo=SHA224
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1_PSS
+algo=SHA256
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1_PSS
+algo=SHA384
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=PKCS1_PSS
+algo=SHA512
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=X931
+algo=SHA1
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=X931
+algo=SHA256
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=X931
+algo=SHA384
+
+key_type=RSA_PRIV
+key_len_bits=2048
+padding=X931
+algo=SHA512
diff --git a/src/yaca/yaca-test-digest.cpp b/src/yaca/yaca-test-digest.cpp

index 0e28fc0..f472dd6 100644 (file)
--- a/src/yaca/yaca-test-digest.cpp
+++ b/src/yaca/yaca-test-digest.cpp
@@ -149,6 +149,18 @@ RUNNER_TEST(T2040_yaca_digest_get_output_length_invalid_param, YacaTest)
      YACA_INVALID_PARAM(yaca_context_get_output_length(ctx_ptr.get(), 42, &out_len));
  }
  
+RUNNER_TEST(T2045_yaca_digest_call_order_invalid_param)
+{
+    char output[512];
+    size_t out_len;
+    CtxPtr ctx = digest_init(YACA_DIGEST_SHA512);
+
+    YACA_SUCCESS(yaca_digest_update(ctx.get(), DATA.data(), DATA.size()));
+    YACA_SUCCESS(yaca_digest_finalize(ctx.get(), output, &out_len));
+
+    YACA_INVALID_PARAM(yaca_digest_update(ctx.get(), DATA.data(), DATA.size()));
+}
+
  RUNNER_TEST(T2050_yaca_digest_get_output_length, YacaTest)
  {
      digest_length_test(YACA_DIGEST_MD5,    128);
diff --git a/src/yaca/yaca-test-encrypt.cpp b/src/yaca/yaca-test-encrypt.cpp

index d27cc5e..9ab048f 100644 (file)
--- a/src/yaca/yaca-test-encrypt.cpp
+++ b/src/yaca/yaca-test-encrypt.cpp
@@ -90,17 +90,17 @@ public:
      void set_padding(yaca_padding_e padding)
      {
          YACA_SUCCESS(yaca_context_set_property(m_enCtxPtr.get(), YACA_PROPERTY_PADDING,
-                                               (char*)(&padding), sizeof(padding)));
+                                               (void*)(&padding), sizeof(padding)));
          YACA_SUCCESS(yaca_context_set_property(m_decCtxPtr.get(), YACA_PROPERTY_PADDING,
-                                               (char*)(&padding), sizeof(padding)));
+                                               (void*)(&padding), sizeof(padding)));
      }
  
      void set_effective_key_bits(size_t key_bits)
      {
          YACA_SUCCESS(yaca_context_set_property(m_enCtxPtr.get(), YACA_PROPERTY_RC2_EFFECTIVE_KEY_BITS,
-                                               (char*)(&key_bits), sizeof(key_bits)));
+                                               (void*)(&key_bits), sizeof(key_bits)));
          YACA_SUCCESS(yaca_context_set_property(m_decCtxPtr.get(), YACA_PROPERTY_RC2_EFFECTIVE_KEY_BITS,
-                                               (char*)(&key_bits), sizeof(key_bits)));
+                                               (void*)(&key_bits), sizeof(key_bits)));
      }
  
      int set_tag_len(yaca_block_cipher_mode_e bcm, size_t tag_len)
@@ -367,7 +367,7 @@ void aes_gcm_test_output(const Buffer &input,
                                    : null_key();
  
      size_t tag_len = tag.size();
-    auto tag_output = create_yaca_buffer(tag_len);
+    char *tag_output;
  
      // encryption
      Buffer encrypt_output;
@@ -393,12 +393,13 @@ void aes_gcm_test_output(const Buffer &input,
      YACA_SUCCESS(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG_LEN,
                                             (void*)&tag_len, sizeof(tag_len)));
      YACA_SUCCESS(yaca_context_get_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                           (void**)tag_output.get(), &tag_len));
+                                           (void**)&tag_output, &tag_len));
+    ChrPtr tag_ptr = wrap_ptr(tag_output);
  
      YACA_ASSERT_MSG(output.size() == encrypt_output.size(), "Ciphertext size after encrypt differs\n");
      YACA_ASSERT_MSG(output == encrypt_output, "Ciphertext after encrypt differs\n");
      YACA_ASSERT_MSG(tag.size() == tag_len, "Tag size after encrypt differs\n");
-    YACA_ASSERT_MSG(yaca_memcmp(tag.data(), tag_output.get(), tag_len) == YACA_ERROR_NONE,
+    YACA_ASSERT_MSG(yaca_memcmp(tag.data(), tag_output, tag_len) == YACA_ERROR_NONE,
                      "Tag after encrypt differs\n");
  
      // decryption
@@ -440,7 +441,7 @@ void aes_ccm_test_output(const Buffer &input,
                                    : null_key();
  
      size_t tag_len = tag.size();
-    auto tag_output = create_yaca_buffer(tag_len);
+    char *tag_output;
  
      // encryption
      Buffer encrypt_output;
@@ -469,12 +470,13 @@ void aes_ccm_test_output(const Buffer &input,
      encrypt_output.insert(encrypt_output.end(), final_ptr.get(), final_ptr.get() + final_len);
  
      YACA_SUCCESS(yaca_context_get_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                           (void**)tag_output.get(), &tag_len));
+                                           (void**)&tag_output, &tag_len));
+    ChrPtr tag_ptr = wrap_ptr(tag_output);
  
      YACA_ASSERT_MSG(output.size() == encrypt_output.size(), "Ciphertext size after encrypt differs \n");
      YACA_ASSERT_MSG(output == encrypt_output, "ciphertext after encrypt differs\n");
      YACA_ASSERT_MSG(tag.size() == tag_len, "Tag size after encrypt differs\n");
-    YACA_ASSERT_MSG(yaca_memcmp(tag.data(), tag_output.get(), tag_len) == YACA_ERROR_NONE,
+    YACA_ASSERT_MSG(yaca_memcmp(tag.data(), tag_output, tag_len) == YACA_ERROR_NONE,
                      "Tag after encrypt differs\n");
  
      // decryption
@@ -747,6 +749,22 @@ RUNNER_TEST(T3075_yaca_key_wrap_unwrap_invalid_param, YacaTest)
                                             unwrapped.get(), &unwrapped_len));
  }
  
+RUNNER_TEST(T3077_yaca_get_iv_bit_length, YacaTest)
+{
+    size_t iv_bit_len;
+    YACA_SUCCESS(yaca_encrypt_get_iv_bit_length(YACA_ENCRYPT_AES, YACA_BCM_CBC, YACA_KEY_LENGTH_256BIT,
+                                                &iv_bit_len));
+    YACA_ASSERT_MSG(iv_bit_len == YACA_KEY_LENGTH_IV_128BIT, "Invalid IV bit length.");
+
+    YACA_SUCCESS(yaca_encrypt_get_iv_bit_length(YACA_ENCRYPT_AES, YACA_BCM_ECB, YACA_KEY_LENGTH_256BIT,
+                                                &iv_bit_len));
+    YACA_ASSERT_MSG(iv_bit_len == 0, "Invalid IV bit length.");
+
+    YACA_SUCCESS(yaca_encrypt_get_iv_bit_length(YACA_ENCRYPT_3DES_3TDEA, YACA_BCM_CBC, YACA_KEY_LENGTH_192BIT,
+                                                &iv_bit_len));
+    YACA_ASSERT_MSG(iv_bit_len == YACA_KEY_LENGTH_IV_64BIT, "Invalid IV bit length.");
+}
+
  RUNNER_TEST(T3080_yaca_encrypt_decrypt_init_param_comb, YacaTest)
  {
      auto tvv = loadTestVector("encrypt_param_comb.txt");
@@ -786,7 +804,7 @@ RUNNER_TEST(T3110_yaca_aes_gcm_call_order_invalid_param, YacaTest)
  {
      KeyIvPair key_iv_pair;
      size_t tag_len = 14;
-    auto tag = create_yaca_buffer(tag_len);
+    char *tag;
      auto aad = random_buffer(16);
      Buffer encrypt_output;
      Buffer decrypt_output;
@@ -800,9 +818,9 @@ RUNNER_TEST(T3110_yaca_aes_gcm_call_order_invalid_param, YacaTest)
      auto final_ptr = out_buf_alloc(enc_ctx_ptr, 0, final_len);
  
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                                 tag.get(), tag_len));
+                                                 tag, tag_len));
      YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                                 (void**)tag.get(), &tag_len));
+                                                 (void**)&tag, &tag_len));
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG_LEN,
                                                   (void*)&tag_len, sizeof(tag_len)));
  
@@ -816,9 +834,9 @@ RUNNER_TEST(T3110_yaca_aes_gcm_call_order_invalid_param, YacaTest)
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_AAD,
                                                   aad.data(), aad.size()));
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                                 tag.get(), tag_len));
+                                                 tag, tag_len));
      YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                                 (void**)tag.get(), &tag_len));
+                                                 (void**)&tag, &tag_len));
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG_LEN,
                                                   (void*)&tag_len, sizeof(tag_len)));
  
@@ -828,11 +846,13 @@ RUNNER_TEST(T3110_yaca_aes_gcm_call_order_invalid_param, YacaTest)
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_AAD,
                                                   aad.data(), aad.size()));
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                                 tag.get(), tag_len));
+                                                 tag, tag_len));
      YACA_SUCCESS(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG_LEN,
                                             (void*)&tag_len, sizeof(tag_len)));
      YACA_SUCCESS(yaca_context_get_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                           (void**)tag.get(), &tag_len));
+                                           (void**)&tag, &tag_len));
+    ChrPtr tag_ptr = wrap_ptr(tag);
+
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG_LEN,
                                                   (void*)&tag_len, sizeof(tag_len)));
  
@@ -843,7 +863,7 @@ RUNNER_TEST(T3110_yaca_aes_gcm_call_order_invalid_param, YacaTest)
      final_ptr = out_buf_alloc(dec_ctx_ptr, 0, final_len);
  
      YACA_INVALID_PARAM(yaca_context_get_property(dec_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                                 (void**)tag.get(), &tag_len));
+                                                 (void**)&tag, &tag_len));
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG_LEN,
                                                   (void*)&tag_len, sizeof(tag_len)));
  
@@ -859,12 +879,11 @@ RUNNER_TEST(T3110_yaca_aes_gcm_call_order_invalid_param, YacaTest)
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG_LEN,
                                                   (void*)&tag_len, sizeof(tag_len)));
      YACA_INVALID_PARAM(yaca_context_get_property(dec_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                                 (void**)tag.get(), &tag_len));
+                                                 (void**)&tag, &tag_len));
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                                 tag.get(), tag_len + 42));
+                                                 tag, tag_len + 42));
  
-    YACA_SUCCESS(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                           tag.get(), tag_len));
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG, tag, tag_len));
  
      YACA_SUCCESS(yaca_decrypt_finalize(dec_ctx_ptr.get(), final_ptr.get(), &final_len));
      decrypt_output.insert(decrypt_output.end(), final_ptr.get(), final_ptr.get() + final_len);
@@ -872,11 +891,11 @@ RUNNER_TEST(T3110_yaca_aes_gcm_call_order_invalid_param, YacaTest)
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_GCM_AAD,
                                                   aad.data(), aad.size()));
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                                 tag.get(), tag_len));
+                                                 tag, tag_len));
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG_LEN,
                                                   (void*)&tag_len, sizeof(tag_len)));
      YACA_INVALID_PARAM(yaca_context_get_property(dec_ctx_ptr.get(), YACA_PROPERTY_GCM_TAG,
-                                                 (void**)tag.get(), &tag_len));
+                                                 (void**)&tag, &tag_len));
  
      YACA_ASSERT_MSG(DATA.size() == decrypt_output.size(), "Size after encrypt-decrypt differs\n");
      YACA_ASSERT_MSG(DATA == decrypt_output, "Text after encrypt-decrypt has changed\n");
@@ -887,7 +906,7 @@ RUNNER_TEST(T3120_yaca_aes_ccm_call_order_invalid_param, YacaTest)
      KeyPtr key = generate_key(YACA_KEY_TYPE_SYMMETRIC, YACA_KEY_LENGTH_256BIT);
      KeyPtr iv = generate_key(YACA_KEY_TYPE_IV, YACA_KEY_LENGTH_IV_64BIT);
      size_t tag_len = 16;
-    auto tag = create_yaca_buffer(tag_len);
+    char *tag;
      auto aad = random_buffer(16);
      Buffer encrypt_output;
      Buffer decrypt_output;
@@ -900,9 +919,9 @@ RUNNER_TEST(T3120_yaca_aes_ccm_call_order_invalid_param, YacaTest)
      auto final_ptr = out_buf_alloc(enc_ctx_ptr, 0, final_len);
  
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 tag.get(), tag_len));
+                                                 tag, tag_len));
      YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 (void**)tag.get(), &tag_len));
+                                                 (void**)&tag, &tag_len));
      YACA_SUCCESS(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG_LEN,
                                             (void*)&tag_len, sizeof(tag_len)));
  
@@ -919,11 +938,11 @@ RUNNER_TEST(T3120_yaca_aes_ccm_call_order_invalid_param, YacaTest)
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_AAD,
                                                   aad.data(), aad.size()));
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 tag.get(), tag_len));
+                                                 tag, tag_len));
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG_LEN,
                                                   (void*)&tag_len, sizeof(tag_len)));
      YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 (void**)tag.get(), &tag_len));
+                                                 (void**)&tag, &tag_len));
  
      YACA_SUCCESS(yaca_encrypt_finalize(enc_ctx_ptr.get(), final_ptr.get(), &final_len));
      encrypt_output.insert(encrypt_output.end(), final_ptr.get(), final_ptr.get() + final_len);
@@ -931,11 +950,12 @@ RUNNER_TEST(T3120_yaca_aes_ccm_call_order_invalid_param, YacaTest)
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_AAD,
                                                   aad.data(), aad.size()));
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 tag.get(), tag_len));
+                                                 tag, tag_len));
      YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG_LEN,
                                                   (void*)&tag_len, sizeof(tag_len)));
      YACA_SUCCESS(yaca_context_get_property(enc_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                           (void**)tag.get(), &tag_len));
+                                           (void**)&tag, &tag_len));
+    ChrPtr tag_ptr = wrap_ptr(tag);
  
      // decryption
      auto dec_ctx_ptr = decrypt_init(YACA_ENCRYPT_AES, YACA_BCM_CCM, key, iv);
@@ -945,19 +965,18 @@ RUNNER_TEST(T3120_yaca_aes_ccm_call_order_invalid_param, YacaTest)
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG_LEN,
                                                   (void*)&tag_len, sizeof(tag_len)));
      YACA_INVALID_PARAM(yaca_context_get_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 (void**)tag.get(), &tag_len));
+                                                 (void**)&tag, &tag_len));
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 tag.get(), tag_len + 42));
+                                                 tag, tag_len + 42));
  
-    YACA_SUCCESS(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                           tag.get(), tag_len));
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG, tag, tag_len));
  
      YACA_SUCCESS(yaca_decrypt_update(dec_ctx_ptr.get(), NULL, encrypt_output.size(),
                                       NULL, &update_len));
      YACA_SUCCESS(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_AAD,
                                             aad.data(), aad.size()));
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 tag.get(), tag_len));
+                                                 tag, tag_len));
  
      YACA_SUCCESS(yaca_decrypt_update(dec_ctx_ptr.get(), encrypt_output.data(), encrypt_output.size(),
                                       update_ptr.get(), &update_len));
@@ -966,11 +985,11 @@ RUNNER_TEST(T3120_yaca_aes_ccm_call_order_invalid_param, YacaTest)
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_AAD,
                                                   aad.data(), aad.size()));
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 tag.get(), tag_len));
+                                                 tag, tag_len));
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG_LEN,
                                                   (void*)&tag_len, sizeof(tag_len)));
      YACA_INVALID_PARAM(yaca_context_get_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 (void**)tag.get(), &tag_len));
+                                                 (void**)&tag, &tag_len));
  
      YACA_SUCCESS(yaca_decrypt_finalize(dec_ctx_ptr.get(), final_ptr.get(), &final_len));
      decrypt_output.insert(decrypt_output.end(), final_ptr.get(), final_ptr.get() + final_len);
@@ -978,11 +997,11 @@ RUNNER_TEST(T3120_yaca_aes_ccm_call_order_invalid_param, YacaTest)
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_AAD,
                                                   aad.data(), aad.size()));
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 tag.get(), tag_len));
+                                                 tag, tag_len));
      YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG_LEN,
                                                   (void*)&tag_len, sizeof(tag_len)));
      YACA_INVALID_PARAM(yaca_context_get_property(dec_ctx_ptr.get(), YACA_PROPERTY_CCM_TAG,
-                                                 (void**)tag.get(), &tag_len));
+                                                 (void**)&tag, &tag_len));
  
      YACA_ASSERT_MSG(DATA.size() == decrypt_output.size(), "Size after encrypt-decrypt differs\n");
      YACA_ASSERT_MSG(DATA == decrypt_output, "Text after encrypt-decrypt has changed\n");
@@ -1053,3 +1072,422 @@ RUNNER_TEST(T3150_yaca_aes_gcm_ccm_output_comparison, YacaTest)
                              : aes_ccm_test_output(input, algo, bcm, key, iv, aad, tag, output);
      }
  }
+
+RUNNER_TEST(T3160_yaca_set_get_padding_invalid_param, YacaTest)
+{
+    KeyIvPair key_iv_pair;
+    CtxPtr enc_ctx = encrypt_init(YACA_ENCRYPT_AES, YACA_BCM_CBC,
+                                  key_iv_pair.key, key_iv_pair.iv);
+
+    yaca_padding_e padding = YACA_PADDING_NONE;
+    size_t padding_len;
+
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), static_cast<yaca_property_e>(-1),
+                                                 (void*)(&padding), sizeof(padding)));
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_PADDING,
+                                                 nullptr, sizeof(padding)));
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_PADDING,
+                                                 (void*)(&padding), 0));
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_PADDING,
+                                                 (void*)(&padding), sizeof(char)));
+
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_PADDING,
+                                                 (void**)(&padding), &padding_len));
+
+    size_t output_len = get_output_length(enc_ctx);
+    Buffer output(output_len);
+    YACA_SUCCESS(yaca_encrypt_finalize(enc_ctx.get(), output.data(), &output_len));
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_PADDING,
+                                                 (void*)(&padding), sizeof(padding)));
+
+    std::vector<yaca_block_cipher_mode_e> bcms = {YACA_BCM_OFB, YACA_BCM_CFB, YACA_BCM_GCM,
+                                                  YACA_BCM_CTR, YACA_BCM_CBC};
+    std::vector<yaca_padding_e> paddings = {YACA_PADDING_PKCS1, YACA_PADDING_PKCS1_PSS,
+                                            YACA_PADDING_X931, YACA_PADDING_PKCS1_SSLV23,
+                                            YACA_PADDING_PKCS1_OAEP};
+
+    for (yaca_block_cipher_mode_e bcm : bcms) {
+        enc_ctx = encrypt_init(YACA_ENCRYPT_AES, bcm, key_iv_pair.key, key_iv_pair.iv);
+
+        for (yaca_padding_e padding : paddings) {
+            YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_PADDING,
+                                                         (void*)(&padding), sizeof(padding)));
+        }
+    }
+}
+
+RUNNER_TEST(T3170_yaca_set_get_rc2_key_bits_invalid_param, YacaTest)
+{
+    size_t effective_key_bits;
+    size_t effective_key_bits_len;
+    KeyPtr key = generate_key(YACA_KEY_TYPE_SYMMETRIC, YACA_KEY_LENGTH_UNSAFE_128BIT);
+    CtxPtr enc_ctx = encrypt_init(YACA_ENCRYPT_UNSAFE_RC2, YACA_BCM_ECB, key, null_key());
+
+    effective_key_bits = 0;
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(),
+                                                 YACA_PROPERTY_RC2_EFFECTIVE_KEY_BITS,
+                                                 (void*)(&effective_key_bits),
+                                                 sizeof(effective_key_bits)));
+    effective_key_bits = 1025;
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(),
+                                                 YACA_PROPERTY_RC2_EFFECTIVE_KEY_BITS,
+                                                 (void*)(&effective_key_bits),
+                                                 sizeof(effective_key_bits)));
+
+    effective_key_bits = 128;
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(),
+                                                 YACA_PROPERTY_RC2_EFFECTIVE_KEY_BITS,
+                                                 (void*)(&effective_key_bits), sizeof(char)));
+
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(),
+                                                 YACA_PROPERTY_RC2_EFFECTIVE_KEY_BITS,
+                                                 (void**)(&effective_key_bits),
+                                                 &effective_key_bits_len));
+
+    size_t output_len = get_output_length(enc_ctx, DATA.size());
+    Buffer output(output_len);
+    YACA_SUCCESS(yaca_encrypt_update(enc_ctx.get(), DATA.data(), DATA.size(),
+                                     output.data(), &output_len));
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(),
+                                                 YACA_PROPERTY_RC2_EFFECTIVE_KEY_BITS,
+                                                 (void*)(&effective_key_bits),
+                                                 sizeof(effective_key_bits)));
+
+    std::vector<yaca_encrypt_algorithm_e> algos = {YACA_ENCRYPT_AES, YACA_ENCRYPT_UNSAFE_3DES_2TDEA,
+                                                   YACA_ENCRYPT_CAST5};
+
+    for (yaca_encrypt_algorithm_e algo : algos) {
+        enc_ctx = encrypt_init(algo, YACA_BCM_ECB, key, null_key());
+
+        YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(),
+                                                     YACA_PROPERTY_RC2_EFFECTIVE_KEY_BITS,
+                                                     (void*)(&effective_key_bits),
+                                                     sizeof(effective_key_bits)));
+    }
+}
+
+RUNNER_TEST(T3180_yaca_set_get_gcm_properties_invalid_param, YacaTest)
+{
+    KeyPtr key = generate_key(YACA_KEY_TYPE_SYMMETRIC, YACA_KEY_LENGTH_192BIT);
+    KeyPtr iv = generate_key(YACA_KEY_TYPE_IV, YACA_KEY_LENGTH_IV_128BIT);
+    KeyPtr gcm_iv = generate_key(YACA_KEY_TYPE_IV, YACA_KEY_LENGTH_IV_64BIT);
+
+    size_t aad_len = 16;
+    Buffer aad = random_buffer(aad_len);
+    size_t tag_len = 16;
+    char *tag;
+
+    size_t update_len, final_len;
+
+    // CTR
+    CtxPtr enc_ctx = encrypt_init(YACA_ENCRYPT_AES, YACA_BCM_CTR, key, iv);
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_GCM_AAD,
+                                                 aad.data(), aad.size()));
+
+    Buffer encrypt_output;
+    ChrPtr update = out_buf_alloc(enc_ctx, DATA.size(), update_len);
+    ChrPtr final = out_buf_alloc(enc_ctx, 0, final_len);
+    YACA_SUCCESS(yaca_encrypt_update(enc_ctx.get(), DATA.data(), DATA.size(),
+                                     update.get(), &update_len));
+    YACA_SUCCESS(yaca_encrypt_finalize(enc_ctx.get(), final.get(), &final_len));
+    encrypt_output.insert(encrypt_output.end(), update.get(), update.get() + update_len);
+    encrypt_output.insert(encrypt_output.end(), final.get(), final.get() + final_len);
+
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_GCM_TAG_LEN,
+                                                 (void*)(&tag_len), sizeof(tag_len)));
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_GCM_TAG,
+                                                 (void**)&tag, &tag_len));
+
+    CtxPtr dec_ctx = decrypt_init(YACA_ENCRYPT_AES, YACA_BCM_CTR, key, iv);
+    YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_GCM_AAD,
+                                                 aad.data(), aad.size()));
+
+    update = out_buf_alloc(dec_ctx, encrypt_output.size(), update_len);
+    final = out_buf_alloc(dec_ctx, 0, final_len);
+
+    YACA_SUCCESS(yaca_decrypt_update(dec_ctx.get(), encrypt_output.data(), encrypt_output.size(),
+                                     update.get(), &update_len));
+
+    YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_GCM_TAG,
+                                                 tag, tag_len));
+
+    YACA_SUCCESS(yaca_decrypt_finalize(dec_ctx.get(), final.get(), &final_len));
+
+    // GCM
+    enc_ctx = encrypt_init(YACA_ENCRYPT_AES, YACA_BCM_GCM, key, gcm_iv);
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_CCM_AAD,
+                                                 aad.data(), aad.size()));
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_GCM_AAD,
+                                                 (void**)aad.data(), &aad_len));
+
+    encrypt_output.clear();
+    update = out_buf_alloc(enc_ctx, DATA.size(), update_len);
+    final = out_buf_alloc(enc_ctx, 0, final_len);
+    YACA_SUCCESS(yaca_encrypt_update(enc_ctx.get(), DATA.data(), DATA.size(),
+                                     update.get(), &update_len));
+    YACA_SUCCESS(yaca_encrypt_finalize(enc_ctx.get(), final.get(), &final_len));
+    encrypt_output.insert(encrypt_output.end(), update.get(), update.get() + update_len);
+    encrypt_output.insert(encrypt_output.end(), final.get(), final.get() + final_len);
+
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_CCM_TAG_LEN,
+                                                 (void*)(&tag_len), sizeof(tag_len)));
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_GCM_TAG_LEN,
+                                                 (void*)(&tag_len), sizeof(char)));
+
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_CCM_TAG,
+                                                 (void**)&tag, &tag_len));
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_GCM_TAG,
+                                                 nullptr, &tag_len));
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_GCM_TAG,
+                                                 (void**)&tag, nullptr));
+
+    YACA_SUCCESS(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_GCM_TAG,
+                                           (void**)&tag, &tag_len));
+    ChrPtr tag_ptr = wrap_ptr(tag);
+
+    dec_ctx = decrypt_init(YACA_ENCRYPT_AES, YACA_BCM_GCM, key, gcm_iv);
+    YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_CCM_AAD,
+                                                 aad.data(), aad.size()));
+    YACA_INVALID_PARAM(yaca_context_get_property(dec_ctx.get(), YACA_PROPERTY_GCM_AAD,
+                                                 (void**)aad.data(), &aad_len));
+
+    update = out_buf_alloc(dec_ctx, encrypt_output.size(), update_len);
+    final = out_buf_alloc(dec_ctx, 0, final_len);
+
+    YACA_SUCCESS(yaca_decrypt_update(dec_ctx.get(), encrypt_output.data(), encrypt_output.size(),
+                                     update.get(), &update_len));
+
+    YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_CCM_TAG,
+                                                 tag, tag_len));
+
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_GCM_TAG, tag, tag_len));
+
+    YACA_SUCCESS(yaca_decrypt_finalize(dec_ctx.get(), final.get(), &final_len));
+}
+
+RUNNER_TEST(T3190_yaca_set_get_ccm_properties_invalid_param, YacaTest)
+{
+    KeyPtr key = generate_key(YACA_KEY_TYPE_SYMMETRIC, YACA_KEY_LENGTH_192BIT);
+    KeyPtr iv = generate_key(YACA_KEY_TYPE_IV, YACA_KEY_LENGTH_IV_64BIT);
+
+    size_t aad_len = 16;
+    Buffer aad = random_buffer(aad_len);
+    size_t tag_len = 12;
+    char *tag;
+
+    size_t update_len, final_len;
+
+    // CFB
+    CtxPtr enc_ctx = encrypt_init(YACA_ENCRYPT_3DES_3TDEA, YACA_BCM_CFB, key, iv);
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_CCM_TAG_LEN,
+                                                 (void*)(&tag_len), sizeof(tag_len)));
+
+    YACA_INVALID_PARAM(yaca_encrypt_update(enc_ctx.get(), NULL, DATA.size(), NULL, &update_len));
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_CCM_AAD,
+                                                 aad.data(), aad.size()));
+
+    Buffer encrypt_output;
+    ChrPtr update = out_buf_alloc(enc_ctx, DATA.size(), update_len);
+    ChrPtr final = out_buf_alloc(enc_ctx, 0, final_len);
+    YACA_SUCCESS(yaca_encrypt_update(enc_ctx.get(), DATA.data(), DATA.size(),
+                                     update.get(), &update_len));
+    YACA_SUCCESS(yaca_encrypt_finalize(enc_ctx.get(), final.get(), &final_len));
+    encrypt_output.insert(encrypt_output.end(), update.get(), update.get() + update_len);
+    encrypt_output.insert(encrypt_output.end(), final.get(), final.get() + final_len);
+
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_CCM_TAG,
+                                                 (void**)&tag, &tag_len));
+
+    CtxPtr dec_ctx = decrypt_init(YACA_ENCRYPT_3DES_3TDEA, YACA_BCM_CFB, key, iv);
+    YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_CCM_TAG,
+                                                 tag, tag_len));
+    YACA_INVALID_PARAM(yaca_decrypt_update(dec_ctx.get(), NULL, encrypt_output.size(), NULL,
+                                           &update_len));
+    YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_CCM_AAD,
+                                                 aad.data(), aad.size()));
+
+    update = out_buf_alloc(dec_ctx, encrypt_output.size(), update_len);
+    final = out_buf_alloc(dec_ctx, 0, final_len);
+
+    YACA_SUCCESS(yaca_decrypt_update(dec_ctx.get(), encrypt_output.data(), encrypt_output.size(),
+                                     update.get(), &update_len));
+    YACA_SUCCESS(yaca_decrypt_finalize(dec_ctx.get(), final.get(), &final_len));
+
+    // CCM
+    enc_ctx = encrypt_init(YACA_ENCRYPT_AES, YACA_BCM_CCM, key, iv);
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_GCM_TAG_LEN,
+                                                 (void*)(&tag_len), sizeof(tag_len)));
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_CCM_TAG_LEN,
+                                                 (void*)(&tag_len), sizeof(char)));
+
+    YACA_SUCCESS(yaca_encrypt_update(enc_ctx.get(), NULL, DATA.size(), NULL, &update_len));
+    YACA_INVALID_PARAM(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_GCM_AAD,
+                                                 aad.data(), aad.size()));
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_CCM_AAD,
+                                                 (void**)aad.data(), &aad_len));
+
+    YACA_SUCCESS(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_CCM_AAD,
+                                           aad.data(), aad.size()));
+
+    encrypt_output.clear();
+    update = out_buf_alloc(enc_ctx, DATA.size(), update_len);
+    final = out_buf_alloc(enc_ctx, 0, final_len);
+    YACA_SUCCESS(yaca_encrypt_update(enc_ctx.get(), DATA.data(), DATA.size(),
+                                     update.get(), &update_len));
+    YACA_SUCCESS(yaca_encrypt_finalize(enc_ctx.get(), final.get(), &final_len));
+    encrypt_output.insert(encrypt_output.end(), update.get(), update.get() + update_len);
+    encrypt_output.insert(encrypt_output.end(), final.get(), final.get() + final_len);
+
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_GCM_TAG,
+                                                 (void**)&tag, &tag_len));
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_CCM_TAG,
+                                                 nullptr, &tag_len));
+    YACA_INVALID_PARAM(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_CCM_TAG,
+                                                 (void**)&tag, nullptr));
+
+    YACA_SUCCESS(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_CCM_TAG,
+                                           (void**)&tag, &tag_len));
+    ChrPtr tag_ptr = wrap_ptr(tag);
+
+    dec_ctx = decrypt_init(YACA_ENCRYPT_AES, YACA_BCM_CCM, key, iv);
+    YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_GCM_TAG,
+                                                 tag, tag_len));
+
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_CCM_TAG, tag, tag_len));
+
+    YACA_SUCCESS(yaca_decrypt_update(dec_ctx.get(), NULL, encrypt_output.size(), NULL,
+                                     &update_len));
+    YACA_INVALID_PARAM(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_GCM_AAD,
+                                                 aad.data(), aad.size()));
+
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_CCM_AAD,
+                                           aad.data(), aad.size()));
+
+    update = out_buf_alloc(dec_ctx, encrypt_output.size(), update_len);
+    final = out_buf_alloc(dec_ctx, 0, final_len);
+    YACA_SUCCESS(yaca_decrypt_update(dec_ctx.get(), encrypt_output.data(), encrypt_output.size(),
+                                     update.get(), &update_len));
+    YACA_SUCCESS(yaca_decrypt_finalize(dec_ctx.get(), final.get(), &final_len));
+}
+
+RUNNER_TEST(T3200_yaca_set_invalid_gcm_tag_aad, YacaTest)
+{
+    KeyPtr key = generate_key(YACA_KEY_TYPE_SYMMETRIC, YACA_KEY_LENGTH_192BIT);
+    KeyPtr iv = generate_key(YACA_KEY_TYPE_IV, YACA_KEY_LENGTH_IV_64BIT);
+
+    size_t aad_len = 16;
+    Buffer aad = random_buffer(aad_len);
+    size_t tag_len = 16;
+    char *tag;
+
+    CtxPtr enc_ctx = encrypt_init(YACA_ENCRYPT_AES, YACA_BCM_GCM, key, iv);
+
+    Buffer encrypt_output;
+    size_t update_len, final_len;
+    ChrPtr update = out_buf_alloc(enc_ctx, DATA.size(), update_len);
+    ChrPtr final = out_buf_alloc(enc_ctx, 0, final_len);
+
+    YACA_SUCCESS(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_GCM_AAD,
+                                           aad.data(), aad.size()));
+    YACA_SUCCESS(yaca_encrypt_update(enc_ctx.get(), DATA.data(), DATA.size(),
+                                     update.get(), &update_len));
+    YACA_SUCCESS(yaca_encrypt_finalize(enc_ctx.get(), final.get(), &final_len));
+    YACA_SUCCESS(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_GCM_TAG,
+                                           (void**)&tag, &tag_len));
+    ChrPtr tag_ptr = wrap_ptr(tag);
+
+    encrypt_output.insert(encrypt_output.end(), update.get(), update.get() + update_len);
+    encrypt_output.insert(encrypt_output.end(), final.get(), final.get() + final_len);
+
+    CtxPtr dec_ctx = decrypt_init(YACA_ENCRYPT_AES, YACA_BCM_GCM, key, iv);
+    update = out_buf_alloc(dec_ctx, encrypt_output.size(), update_len);
+    final = out_buf_alloc(dec_ctx, 0, final_len);
+
+    // Invalid AAD
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_GCM_AAD, tag, aad.size()));
+
+    YACA_SUCCESS(yaca_decrypt_update(dec_ctx.get(), encrypt_output.data(), encrypt_output.size(),
+                                     update.get(), &update_len));
+
+    // Valid TAG
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_GCM_TAG, tag, tag_len));
+
+    YACA_INVALID_PARAM(yaca_decrypt_finalize(dec_ctx.get(), final.get(), &final_len));
+
+    dec_ctx = decrypt_init(YACA_ENCRYPT_AES, YACA_BCM_GCM, key, iv);
+
+    // Valid AAD
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_GCM_AAD,
+                                           aad.data(), aad.size()));
+
+    YACA_SUCCESS(yaca_decrypt_update(dec_ctx.get(), encrypt_output.data(), encrypt_output.size(),
+                                     update.get(), &update_len));
+
+    // Invalid TAG
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_GCM_TAG,
+                                           aad.data(), tag_len));
+
+    YACA_INVALID_PARAM(yaca_decrypt_finalize(dec_ctx.get(), final.get(), &final_len));
+}
+
+RUNNER_TEST(T3210_yaca_set_invalid_ccm_tag_aad, YacaTest)
+{
+    KeyPtr key = generate_key(YACA_KEY_TYPE_SYMMETRIC, YACA_KEY_LENGTH_192BIT);
+    KeyPtr iv = generate_key(YACA_KEY_TYPE_IV, YACA_KEY_LENGTH_IV_64BIT);
+
+    size_t aad_len = 16;
+    Buffer aad = random_buffer(aad_len);
+    size_t tag_len = 12;
+    char *tag;
+
+    CtxPtr enc_ctx = encrypt_init(YACA_ENCRYPT_AES, YACA_BCM_CCM, key, iv);
+
+    Buffer encrypt_output;
+    size_t update_len, final_len;
+    ChrPtr update = out_buf_alloc(enc_ctx, DATA.size(), update_len);
+    ChrPtr final = out_buf_alloc(enc_ctx, 0, final_len);
+
+    YACA_SUCCESS(yaca_encrypt_update(enc_ctx.get(), NULL, DATA.size(), NULL, &update_len));
+    YACA_SUCCESS(yaca_context_set_property(enc_ctx.get(), YACA_PROPERTY_CCM_AAD,
+                                           aad.data(), aad.size()));
+    YACA_SUCCESS(yaca_encrypt_update(enc_ctx.get(), DATA.data(), DATA.size(),
+                                     update.get(), &update_len));
+    YACA_SUCCESS(yaca_encrypt_finalize(enc_ctx.get(), final.get(), &final_len));
+    YACA_SUCCESS(yaca_context_get_property(enc_ctx.get(), YACA_PROPERTY_CCM_TAG,
+                                           (void**)&tag, &tag_len));
+    ChrPtr tag_ptr = wrap_ptr(tag);
+
+    encrypt_output.insert(encrypt_output.end(), update.get(), update.get() + update_len);
+    encrypt_output.insert(encrypt_output.end(), final.get(), final.get() + final_len);
+
+    CtxPtr dec_ctx = decrypt_init(YACA_ENCRYPT_AES, YACA_BCM_CCM, key, iv);
+    update = out_buf_alloc(dec_ctx, encrypt_output.size(), update_len);
+    final = out_buf_alloc(dec_ctx, 0, final_len);
+
+    // Invalid TAG
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_CCM_TAG,
+                                           aad.data(), tag_len));
+
+    // Valid AAD
+    YACA_SUCCESS(yaca_decrypt_update(dec_ctx.get(), NULL, encrypt_output.size(), NULL,
+                                     &update_len));
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_CCM_AAD,
+                                           aad.data(), aad.size()));
+
+    YACA_INVALID_PARAM(yaca_decrypt_update(dec_ctx.get(), encrypt_output.data(), encrypt_output.size(),
+                                           update.get(), &update_len));
+
+    dec_ctx = decrypt_init(YACA_ENCRYPT_AES, YACA_BCM_CCM, key, iv);
+
+    // Valid TAG
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_CCM_TAG, tag, tag_len));
+
+    // Invalid AAD
+    YACA_SUCCESS(yaca_decrypt_update(dec_ctx.get(), NULL, encrypt_output.size(), NULL,
+                                     &update_len));
+    YACA_SUCCESS(yaca_context_set_property(dec_ctx.get(), YACA_PROPERTY_CCM_AAD,
+                                           tag, aad.size()));
+
+    YACA_INVALID_PARAM(yaca_decrypt_update(dec_ctx.get(), encrypt_output.data(), encrypt_output.size(),
+                                           update.get(), &update_len));
+}
diff --git a/src/yaca/yaca-test-rsa.cpp b/src/yaca/yaca-test-rsa.cpp

index 89634ac..3fcd2a5 100644 (file)
--- a/src/yaca/yaca-test-rsa.cpp
+++ b/src/yaca/yaca-test-rsa.cpp
@@ -194,7 +194,7 @@ void test_rsa_padding(const KeyPair& kp, const PaddingInfo& pi, EncryptionType e
          expected = YACA_ERROR_INVALID_PARAMETER;
          if (p.padding == YACA_PADDING_NONE ||
              (et == ET_PUB && ((p.padding == YACA_PADDING_PKCS1 && padding == YACA_PADDING_PKCS1_SSLV23) ||
-                              (p.padding == YACA_PADDING_PKCS1_SSLV23 && padding == YACA_PADDING_PKCS1))))
+                              (p.padding == padding))))
              expected = YACA_ERROR_NONE;
  
          YACA_RESULT(expected, decrypt(p.padding, dec_key.get(),
diff --git a/src/yaca/yaca-test-sign.cpp b/src/yaca/yaca-test-sign.cpp

index 0a8d77b..49a2d04 100644 (file)
--- a/src/yaca/yaca-test-sign.cpp
+++ b/src/yaca/yaca-test-sign.cpp
@@ -58,15 +58,21 @@ RUNNER_TEST_GROUP_INIT(T6000_YACA_SIGN);
  RUNNER_TEST(T6010_yaca_sign_init_invalid_param, YacaTest)
  {
      yaca_context_h ctx = YACA_CONTEXT_NULL;
-    KeyPtr prv = generate_key(YACA_KEY_TYPE_RSA_PRIV, YACA_KEY_LENGTH_1024BIT);
-    KeyPtr pub = extract_public_key(prv);
+    KeyPair rsa(YACA_KEY_TYPE_RSA_PRIV, YACA_KEY_LENGTH_512BIT);
+    KeyPair dsa(YACA_KEY_TYPE_DSA_PRIV, YACA_KEY_LENGTH_1024BIT);
+    KeyPair ec(YACA_KEY_TYPE_EC_PRIV, YACA_KEY_LENGTH_EC_SECP384R1);
      KeyPtr sym = generate_key(YACA_KEY_TYPE_SYMMETRIC, YACA_KEY_LENGTH_256BIT);
  
-    YACA_INVALID_PARAM(yaca_sign_initialize(nullptr, YACA_DIGEST_MD5, prv.get()));
-    YACA_INVALID_PARAM(yaca_sign_initialize(&ctx, static_cast<yaca_digest_algorithm_e>(-1), prv.get()));
+    YACA_INVALID_PARAM(yaca_sign_initialize(nullptr, YACA_DIGEST_MD5, rsa.prv.get()));
+    YACA_INVALID_PARAM(yaca_sign_initialize(&ctx, static_cast<yaca_digest_algorithm_e>(-1),
+                                            rsa.prv.get()));
      YACA_INVALID_PARAM(yaca_sign_initialize(&ctx, YACA_DIGEST_MD5, YACA_KEY_NULL));
-    YACA_INVALID_PARAM(yaca_sign_initialize(&ctx, YACA_DIGEST_MD5, pub.get()));
+    YACA_INVALID_PARAM(yaca_sign_initialize(&ctx, YACA_DIGEST_MD5, rsa.pub.get()));
      YACA_INVALID_PARAM(yaca_sign_initialize(&ctx, YACA_DIGEST_MD5, sym.get()));
+    YACA_INVALID_PARAM(yaca_sign_initialize(&ctx, YACA_DIGEST_SHA384, rsa.prv.get()));
+    YACA_INVALID_PARAM(yaca_sign_initialize(&ctx, YACA_DIGEST_SHA512, rsa.prv.get()));
+    YACA_INVALID_PARAM(yaca_sign_initialize(&ctx, YACA_DIGEST_MD5, dsa.prv.get()));
+    YACA_INVALID_PARAM(yaca_sign_initialize(&ctx, YACA_DIGEST_MD5, ec.prv.get()));
  }
  
  RUNNER_TEST(T6020_yaca_sign_hmac_init_invalid_param, YacaTest)
@@ -124,15 +130,21 @@ RUNNER_TEST(T6050_yaca_sign_final_invalid_param, YacaTest)
  RUNNER_TEST(T6060_yaca_verify_init_invalid_param)
  {
      yaca_context_h ctx = YACA_CONTEXT_NULL;
-    KeyPtr prv = generate_key(YACA_KEY_TYPE_RSA_PRIV, YACA_KEY_LENGTH_1024BIT);
-    KeyPtr pub = extract_public_key(prv);
+    KeyPair rsa(YACA_KEY_TYPE_RSA_PRIV, YACA_KEY_LENGTH_512BIT);
+    KeyPair dsa(YACA_KEY_TYPE_DSA_PRIV, YACA_KEY_LENGTH_1024BIT);
+    KeyPair ec(YACA_KEY_TYPE_EC_PRIV, YACA_KEY_LENGTH_EC_SECP384R1);
      KeyPtr sym = generate_key(YACA_KEY_TYPE_SYMMETRIC, YACA_KEY_LENGTH_256BIT);
  
-    YACA_INVALID_PARAM(yaca_verify_initialize(nullptr, YACA_DIGEST_MD5, pub.get()));
-    YACA_INVALID_PARAM(yaca_verify_initialize(&ctx, static_cast<yaca_digest_algorithm_e>(-1), prv.get()));
+    YACA_INVALID_PARAM(yaca_verify_initialize(nullptr, YACA_DIGEST_MD5, rsa.pub.get()));
+    YACA_INVALID_PARAM(yaca_verify_initialize(&ctx, static_cast<yaca_digest_algorithm_e>(-1),
+                                              rsa.prv.get()));
      YACA_INVALID_PARAM(yaca_verify_initialize(&ctx, YACA_DIGEST_MD5, YACA_KEY_NULL));
-    YACA_INVALID_PARAM(yaca_verify_initialize(&ctx, YACA_DIGEST_MD5, prv.get()));
+    YACA_INVALID_PARAM(yaca_verify_initialize(&ctx, YACA_DIGEST_MD5, rsa.prv.get()));
      YACA_INVALID_PARAM(yaca_verify_initialize(&ctx, YACA_DIGEST_MD5, sym.get()));
+    YACA_INVALID_PARAM(yaca_verify_initialize(&ctx, YACA_DIGEST_SHA384, rsa.pub.get()));
+    YACA_INVALID_PARAM(yaca_verify_initialize(&ctx, YACA_DIGEST_SHA512, rsa.pub.get()));
+    YACA_INVALID_PARAM(yaca_verify_initialize(&ctx, YACA_DIGEST_MD5, dsa.pub.get()));
+    YACA_INVALID_PARAM(yaca_verify_initialize(&ctx, YACA_DIGEST_MD5, ec.pub.get()));
  }
  
  RUNNER_TEST(T6070_yaca_verify_update_invalid_param)
@@ -141,9 +153,9 @@ RUNNER_TEST(T6070_yaca_verify_update_invalid_param)
      KeyPtr pub = extract_public_key(prv);
      CtxPtr ctx = verify_init(YACA_DIGEST_MD5, pub);
  
-    YACA_INVALID_PARAM(yaca_sign_update(YACA_CONTEXT_NULL, lorem16, LOREM16_SIZE));
-    YACA_INVALID_PARAM(yaca_sign_update(ctx.get(), nullptr, LOREM16_SIZE));
-    YACA_INVALID_PARAM(yaca_sign_update(ctx.get(), lorem16, 0));
+    YACA_INVALID_PARAM(yaca_verify_update(YACA_CONTEXT_NULL, lorem16, LOREM16_SIZE));
+    YACA_INVALID_PARAM(yaca_verify_update(ctx.get(), nullptr, LOREM16_SIZE));
+    YACA_INVALID_PARAM(yaca_verify_update(ctx.get(), lorem16, 0));
  }
  
  RUNNER_TEST(T6080_yaca_verify_final_invalid_param)
@@ -170,6 +182,30 @@ RUNNER_TEST(T6090_yaca_sign_get_output_length_invalid_param)
      YACA_INVALID_PARAM(yaca_context_get_output_length(ctx.get(), 0, nullptr));
  }
  
+RUNNER_TEST(T6095_yaca_sign_verify_call_order_invalid_param)
+{
+    KeyPtr key = generate_key(YACA_KEY_TYPE_RSA_PRIV, YACA_KEY_LENGTH_1024BIT);
+    KeyPtr key_pub = extract_public_key(key);
+    CtxPtr ctx_sgn = sign_init(YACA_DIGEST_SHA1, key);
+    CtxPtr ctx_vrf = verify_init(YACA_DIGEST_SHA1, key_pub);
+    size_t output_len = get_output_length(ctx_sgn);
+    Buffer output(output_len);
+    yaca_padding_e padding = YACA_PADDING_PKCS1_PSS;
+
+    YACA_SUCCESS(yaca_sign_finalize(ctx_sgn.get(), output.data(), &output_len));
+    YACA_SUCCESS(yaca_verify_finalize(ctx_vrf.get(), output.data(), output_len));
+
+    YACA_INVALID_PARAM(yaca_sign_update(ctx_sgn.get(), output.data(), output_len));
+    YACA_INVALID_PARAM(yaca_context_set_property(ctx_sgn.get(), YACA_PROPERTY_PADDING,
+                                                 static_cast<void*>(&padding),
+                                                 sizeof(yaca_padding_e)));
+
+    YACA_INVALID_PARAM(yaca_verify_update(ctx_vrf.get(), output.data(), output_len));
+    YACA_INVALID_PARAM(yaca_context_set_property(ctx_vrf.get(), YACA_PROPERTY_PADDING,
+                                                 static_cast<void*>(&padding),
+                                                 sizeof(yaca_padding_e)));
+}
+
  RUNNER_TEST(T6100_yaca_sign_set_property_invalid_param)
  {
      KeyPtr key = generate_key(YACA_KEY_TYPE_RSA_PRIV, YACA_KEY_LENGTH_512BIT);
@@ -205,6 +241,16 @@ RUNNER_TEST(T6100_yaca_sign_set_property_invalid_param)
                                                       0));
      }
  
+    padding = YACA_PADDING_X931;
+    ctx_sgn = sign_init(YACA_DIGEST_MD5, key);
+    YACA_INVALID_PARAM(yaca_context_set_property(ctx_sgn.get(), YACA_PROPERTY_PADDING,
+                                                 static_cast<void*>(&padding),
+                                                 sizeof(yaca_padding_e)));
+    ctx_sgn = sign_init(YACA_DIGEST_SHA224, key);
+    YACA_INVALID_PARAM(yaca_context_set_property(ctx_sgn.get(), YACA_PROPERTY_PADDING,
+                                                 static_cast<void*>(&padding),
+                                                 sizeof(yaca_padding_e)));
+
      YACA_INVALID_PARAM(yaca_context_set_property(ctx_dsa.get(), YACA_PROPERTY_PADDING,
                                                   static_cast<void*>(&padding),
                                                   sizeof(yaca_padding_e)));
@@ -214,7 +260,6 @@ RUNNER_TEST(T6100_yaca_sign_set_property_invalid_param)
      YACA_INVALID_PARAM(yaca_context_set_property(ctx_digest.get(), YACA_PROPERTY_PADDING,
                                                   static_cast<void*>(&padding),
                                                   sizeof(yaca_padding_e)));
-
  }
  
  RUNNER_TEST(T6120_yaca_sign_get_output_length)
@@ -229,7 +274,6 @@ RUNNER_TEST(T6120_yaca_sign_get_output_length)
      };
  
      const std::vector<yaca_key_bit_length_e> lengths = {
-        YACA_KEY_LENGTH_512BIT,
          YACA_KEY_LENGTH_1024BIT,
          YACA_KEY_LENGTH_2048BIT,
          YACA_KEY_LENGTH_3072BIT,
@@ -495,7 +539,8 @@ RUNNER_TEST(T6180_yaca_sign_verify_padding_test_vectors, YacaTest)
              CtxPtr ctx = sign_init(algo, key_prv);
              size_t output_len = get_output_length(ctx);
              YACA_SUCCESS(yaca_context_set_property(ctx.get(), YACA_PROPERTY_PADDING,
-                                                   static_cast<void*>(&padding), sizeof(padding)));
+                                                   static_cast<void*>(&padding),
+                                                   sizeof(yaca_padding_e)));
  
              if (input.size() > 0) {
                  for (size_t i = 0; i < repeats; i++)
@@ -510,7 +555,8 @@ RUNNER_TEST(T6180_yaca_sign_verify_padding_test_vectors, YacaTest)
  
              ctx = verify_init(algo, key_pub);
              YACA_SUCCESS(yaca_context_set_property(ctx.get(), YACA_PROPERTY_PADDING,
-                                                   static_cast<void*>(&padding), sizeof(padding)));
+                                                   static_cast<void*>(&padding),
+                                                   sizeof(yaca_padding_e)));
  
              if (input.size() > 0)
                  for (size_t i = 0; i < repeats; i++)
@@ -555,3 +601,32 @@ RUNNER_TEST(T6180_yaca_sign_verify_padding_test_vectors, YacaTest)
          }
      }
  }
+
+RUNNER_TEST(T6190_yaca_sign_param_combinations, YacaTest)
+{
+    auto tvv = loadTestVector("sign_param_comb.txt");
+
+    for (const auto& tv : tvv) {
+        yaca_key_type_e key_type;
+        size_t key_len;
+        yaca_padding_e padding;
+        yaca_digest_algorithm_e algo;
+
+        tv.get("key_type", key_type);
+        tv.get("key_len_bits", key_len);
+        if (key_type == YACA_KEY_TYPE_RSA_PRIV)
+            tv.get("padding", padding);
+        tv.get("algo", algo);
+
+        KeyPtr key = generate_key(key_type, key_len);
+        CtxPtr ctx = sign_init(algo, key);
+
+        if (key_type == YACA_KEY_TYPE_RSA_PRIV)
+           YACA_SUCCESS(yaca_context_set_property(ctx.get(), YACA_PROPERTY_PADDING,
+                                                  (void*)&padding, sizeof(yaca_padding_e)));
+
+        size_t output_len = get_output_length(ctx);
+        Buffer output(output_len);
+        YACA_SUCCESS(yaca_sign_finalize(ctx.get(), output.data(), &output_len));
+    }
+}
diff --git a/src/yaca/yaca-test-vector.cpp b/src/yaca/yaca-test-vector.cpp

index b145a67..49b8b51 100644 (file)
--- a/src/yaca/yaca-test-vector.cpp
+++ b/src/yaca/yaca-test-vector.cpp
@@ -120,6 +120,16 @@ std::unordered_map<std::string, yaca_kdf_e> str2kdf = {
      std::make_pair("X962", YACA_KDF_X962)
  };
  
+std::unordered_map<std::string, yaca_padding_e> str2padding = {
+    std::make_pair("NONE",         YACA_PADDING_NONE),
+    std::make_pair("X931",         YACA_PADDING_X931),
+    std::make_pair("PKCS1",        YACA_PADDING_PKCS1),
+    std::make_pair("PKCS1_PSS",    YACA_PADDING_PKCS1_PSS),
+    std::make_pair("PKCS1_OAEP",   YACA_PADDING_PKCS1_OAEP),
+    std::make_pair("PKCS1_SSLV23", YACA_PADDING_PKCS1_SSLV23),
+    std::make_pair("PKCS7",        YACA_PADDING_PKCS7)
+};
+
  } // anonymous namespace
  
  void TestVector::add(const std::string &key, const std::string &val)
@@ -174,6 +184,11 @@ void TestVector::get(const std::string &key, yaca_kdf_e &val) const
      val = str2kdf.at(value(key));
  }
  
+void TestVector::get(const std::string &key, yaca_padding_e &val) const
+{
+    val = str2padding.at(value(key));
+}
+
  void TestVector::reset()
  {
      m_data.clear();
diff --git a/src/yaca/yaca-test-vector.h b/src/yaca/yaca-test-vector.h

index 1e34481..06ee01b 100644 (file)
--- a/src/yaca/yaca-test-vector.h
+++ b/src/yaca/yaca-test-vector.h
@@ -57,6 +57,8 @@ public:
      void get(const std::string &key, yaca_block_cipher_mode_e &val) const;
      /* special case for kdf */
      void get(const std::string &key, yaca_kdf_e &val) const;
+    /* special case for padding */
+    void get(const std::string &key, yaca_padding_e &val) const;
  
      void reset();
author	Dariusz Michaluk <d.michaluk@samsung.com>
	Wed, 22 Jan 2020 12:24:42 +0000 (13:24 +0100)
committer	Dariusz Michaluk <d.michaluk@samsung.com>
	Wed, 22 Jan 2020 12:24:42 +0000 (13:24 +0100)
CMakeLists.txt		patch \| blob \| history
packaging/security-tests.manifest		patch \| blob \| history
packaging/security-tests.spec		patch \| blob \| history
src/ckm-integration/ckm-policy.cpp		patch \| blob \| history
src/ckm-integration/group01.cpp		patch \| blob \| history
src/ckm-integration/group02.cpp		patch \| blob \| history
src/ckm-integration/process-settings/change-smack.cpp		patch \| blob \| history
src/ckm-integration/process-settings/change-smack.h		patch \| blob \| history
src/ckm-integration/process-settings/unlock-ckm.cpp		patch \| blob \| history
src/ckm/CMakeLists.txt		patch \| blob \| history
src/ckm/ckm-common.cpp		patch \| blob \| history
src/ckm/ckm-common.h		patch \| blob \| history
src/ckm/keys/pkcs12.tgz	[deleted file]	patch \| blob \| history
src/ckm/keys/pkcs12/HOWTO.txt	[new file with mode: 0644]	patch \| blob
src/ckm/keys/pkcs12/ca-int.crt	[new file with mode: 0644]	patch \| blob
src/ckm/keys/pkcs12/ca-int.csr	[new file with mode: 0644]	patch \| blob
src/ckm/keys/pkcs12/ca-int.key	[new file with mode: 0644]	patch \| blob
src/ckm/keys/pkcs12/ca.crt	[new file with mode: 0644]	patch \| blob
src/ckm/keys/pkcs12/ca.key	[new file with mode: 0644]	patch \| blob
src/ckm/keys/pkcs12/chain.pem	[new file with mode: 0644]	patch \| blob
src/ckm/keys/pkcs12/server.crt	[new file with mode: 0644]	patch \| blob
src/ckm/keys/pkcs12/server.csr	[new file with mode: 0644]	patch \| blob
src/ckm/keys/pkcs12/server.key	[new file with mode: 0644]	patch \| blob
src/ckm/privileged/CMakeLists.txt		patch \| blob \| history
src/ckm/privileged/access_provider2.cpp		patch \| blob \| history
src/ckm/privileged/access_provider2.h		patch \| blob \| history
src/ckm/privileged/aes_128_cbc_encrypt.sh	[new file with mode: 0755]	patch \| blob
src/ckm/privileged/async-api.cpp		patch \| blob \| history
src/ckm/privileged/capi-access_control.cpp		patch \| blob \| history
src/ckm/privileged/cc-mode.cpp		patch \| blob \| history
src/ckm/privileged/ckm-privileged-common.cpp		patch \| blob \| history
src/ckm/privileged/ckm-privileged-common.h		patch \| blob \| history
src/ckm/privileged/ckm-tests-on-onlycap.sh	[deleted file]	patch \| blob \| history
src/ckm/privileged/initial-values.cpp		patch \| blob \| history
src/ckm/privileged/main.cpp		patch \| blob \| history
src/ckm/privileged/system-db.cpp		patch \| blob \| history
src/ckm/resource/XML_1_okay.xml		patch \| blob \| history
src/ckm/resource/XML_2_okay.xml		patch \| blob \| history
src/ckm/resource/XML_3_wrong.xml		patch \| blob \| history
src/ckm/resource/device_key.xml	[deleted file]	patch \| blob \| history
src/ckm/resource/pkcs.p12		patch \| blob \| history
src/ckm/test-certs.cpp		patch \| blob \| history
src/ckm/unprivileged/CMakeLists.txt		patch \| blob \| history
src/ckm/unprivileged/async-api.cpp		patch \| blob \| history
src/ckm/unprivileged/capi-testcases.cpp		patch \| blob \| history
src/ckm/unprivileged/encryption-decryption.cpp		patch \| blob \| history
src/ckm/unprivileged/main.cpp		patch \| blob \| history
src/ckm/unprivileged/sign-verify.cpp	[new file with mode: 0644]	patch \| blob
src/common/CMakeLists.txt		patch \| blob \| history
src/common/access_provider.cpp		patch \| blob \| history
src/common/app_def_privilege.h		patch \| blob \| history
src/common/app_install_helper.cpp		patch \| blob \| history
src/common/app_install_helper.h		patch \| blob \| history
src/common/cynara_helpers_creds.cpp		patch \| blob \| history
src/common/cynara_helpers_creds.h		patch \| blob \| history
src/common/cynara_helpers_dbus.h		patch \| blob \| history
src/common/label_generator.cpp		patch \| blob \| history
src/common/label_generator.h		patch \| blob \| history
src/common/pkg_privacy_privileges.h	[new file with mode: 0644]	patch \| blob
src/common/privilege_manager.cpp	[new file with mode: 0644]	patch \| blob
src/common/privilege_manager.h	[moved from src/security-manager-tests/common/scoped_label.h with 55% similarity]	patch \| blob \| history
src/common/scoped_installer.h		patch \| blob \| history
src/common/scoped_process_label.cpp	[new file with mode: 0644]	patch \| blob
src/common/scoped_process_label.h	[new file with mode: 0644]	patch \| blob
src/common/service_manager.cpp		patch \| blob \| history
src/common/sm_api.cpp		patch \| blob \| history
src/common/sm_api.h		patch \| blob \| history
src/common/sm_request.cpp		patch \| blob \| history
src/common/sm_request.h		patch \| blob \| history
src/common/synchronization_pipe.cpp		patch \| blob \| history
src/common/synchronization_pipe.h		patch \| blob \| history
src/common/temp_test_user.h		patch \| blob \| history
src/common/tests_common.cpp		patch \| blob \| history
src/common/tests_common.h		patch \| blob \| history
src/cynara-tests/CMakeLists.txt		patch \| blob \| history
src/cynara-tests/common/cynara_test_agent.cpp		patch \| blob \| history
src/cynara-tests/common/cynara_test_agent.h		patch \| blob \| history
src/cynara-tests/common/cynara_test_client.cpp		patch \| blob \| history
src/cynara-tests/common/cynara_test_client.h		patch \| blob \| history
src/cynara-tests/common/cynara_test_client_async_client.cpp		patch \| blob \| history
src/cynara-tests/common/cynara_test_env.cpp		patch \| blob \| history
src/cynara-tests/common/cynara_test_env.h		patch \| blob \| history
src/cynara-tests/common/cynara_test_monitor.cpp	[new file with mode: 0644]	patch \| blob
src/cynara-tests/common/cynara_test_monitor.h	[new file with mode: 0644]	patch \| blob
src/cynara-tests/test_cases_agent.cpp		patch \| blob \| history
src/cynara-tests/test_cases_helpers.cpp		patch \| blob \| history
src/cynara-tests/test_cases_monitor.cpp	[new file with mode: 0644]	patch \| blob
src/framework/include/dpl/test/test_case.h		patch \| blob \| history
src/framework/include/dpl/test/test_group.h	[new file with mode: 0644]	patch \| blob
src/framework/include/dpl/test/test_runner.h		patch \| blob \| history
src/framework/src/assert.cpp		patch \| blob \| history
src/framework/src/test_results_collector_console.cpp		patch \| blob \| history
src/framework/src/test_runner.cpp		patch \| blob \| history
src/security-manager-tests/CMakeLists.txt		patch \| blob \| history
src/security-manager-tests/common/sm_commons.cpp		patch \| blob \| history
src/security-manager-tests/common/sm_commons.h		patch \| blob \| history
src/security-manager-tests/common/template_parser.cpp	[new file with mode: 0644]	patch \| blob
src/security-manager-tests/common/template_parser.h	[new file with mode: 0644]	patch \| blob
src/security-manager-tests/test_cases.cpp		patch \| blob \| history
src/security-manager-tests/test_cases_app_policy.cpp		patch \| blob \| history
src/security-manager-tests/test_cases_paths.cpp	[new file with mode: 0644]	patch \| blob
src/security-manager-tests/test_cases_prepare_app.cpp		patch \| blob \| history
src/security-manager-tests/test_cases_privacy_manager.cpp		patch \| blob \| history
src/security-manager-tests/test_cases_private_sharing.cpp		patch \| blob \| history
src/security-manager-tests/test_cases_public_sharing.cpp		patch \| blob \| history
src/security-manager-tests/test_cases_register_paths.cpp		patch \| blob \| history
src/security-tests-all.sh		patch \| blob \| history
src/security-tests.sh		patch \| blob \| history
src/yaca/test-vectors/sign_param_comb.txt	[new file with mode: 0644]	patch \| blob
src/yaca/yaca-test-digest.cpp		patch \| blob \| history
src/yaca/yaca-test-encrypt.cpp		patch \| blob \| history
src/yaca/yaca-test-rsa.cpp		patch \| blob \| history
src/yaca/yaca-test-sign.cpp		patch \| blob \| history
src/yaca/yaca-test-vector.cpp		patch \| blob \| history
src/yaca/yaca-test-vector.h		patch \| blob \| history