From 2c1f0b37f20f1a19b387d397eb7a3d7461d15bc9 Mon Sep 17 00:00:00 2001 From: itayzafrir Date: Sun, 17 Feb 2019 17:53:27 +0200 Subject: [PATCH] Add acl test - use other partitions' key - manage key --- .../COMPONENT_NSPE/main.cpp | 76 +++++++++++++++++++ .../test_partition_proxy.c | 13 ++++ .../test_partition_proxy.h | 3 + .../psa_test_partition_partition.c | 12 +++ .../psa_test_partition_partition.h | 7 +- .../COMPONENT_SPE/test_partition.c | 28 +++++++ .../crypto_acl_test_partition_psa.json | 8 ++ .../psa_test_partition_ifs.h | 1 + 8 files changed, 146 insertions(+), 2 deletions(-) diff --git a/TESTS/psa/crypto_access_control/COMPONENT_NSPE/main.cpp b/TESTS/psa/crypto_access_control/COMPONENT_NSPE/main.cpp index 705c08fcf2..4d642d1117 100644 --- a/TESTS/psa/crypto_access_control/COMPONENT_NSPE/main.cpp +++ b/TESTS/psa/crypto_access_control/COMPONENT_NSPE/main.cpp @@ -155,6 +155,80 @@ void test_create_key_same_id_different_partitions(void) TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_close_key(key_handle_local)); } +void test_use_other_partition_key_manage_key(void) +{ + static const psa_key_id_t key_id = 999; + static const psa_key_type_t key_type = PSA_KEY_TYPE_AES; + static const psa_algorithm_t key_alg = PSA_ALG_CBC_NO_PADDING; + static const psa_key_usage_t key_usage = PSA_KEY_USAGE_EXPORT; + static const size_t key_bits = 128; + static const unsigned char key_data[] = { + 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, + 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c + }; + psa_key_handle_t key_handle = 0; + psa_key_policy_t policy = PSA_KEY_POLICY_INIT; + unsigned char output[sizeof(key_data)] = { 0 }; + size_t len, got_key_bits; + psa_key_type_t got_key_type; + psa_key_lifetime_t got_lifetime; + + /* via test partition - create a key without generating any key material */ + TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_create_persistent_key(key_id, &key_handle)); + TEST_ASSERT_NOT_EQUAL(0, key_handle); + + /* try to set the key policy for the key that was created by the test partition */ + psa_key_policy_set_usage(&policy, key_usage, key_alg); + TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_set_key_policy(key_handle, &policy)); + + /* via test partition - set key policy */ + TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_set_key_policy(key_handle, key_usage, key_alg)); + + /* try to generate key data for the key that was created by the test partition */ + TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_generate_key(key_handle, key_type, key_bits, NULL, 0)); + + /* via test partition - generate key material and close the key */ + TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_generate_key(key_handle, key_type, key_bits)); + TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_close_key(key_handle)); + + /* via test partition - reopen the key created by the test partition and keep it open */ + key_handle = 0; + TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_open_persistent_key(key_id, &key_handle)); + TEST_ASSERT_NOT_EQUAL(0, key_handle); + + /* try to work with the handle created for a key created by the test partition */ + got_key_type = 0; + got_key_bits = 0; + got_lifetime = 0; + policy = psa_key_policy_init(); + TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_get_key_policy(key_handle, &policy)); + TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_get_key_lifetime(key_handle, &got_lifetime)); + TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_close_key(key_handle)); + TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_destroy_key(key_handle)); + TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_get_key_information(key_handle, &got_key_type, &got_key_bits)); + TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_export_key(key_handle, output, sizeof(output), &len)); + TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_export_public_key(key_handle, output, sizeof(output), &len)); + + /* via test partition - destroy the key created by the test partition */ + TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_destroy_key(key_handle)); + + /* via test partition - create a key, set key policy but no key material */ + key_handle = 0; + TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_create_persistent_key(key_id, &key_handle)); + TEST_ASSERT_NOT_EQUAL(0, key_handle); + TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_set_key_policy(key_handle, key_usage, key_alg)); + + /* try to import key data into the key that was created by the test partition */ + TEST_ASSERT_EQUAL(PSA_ERROR_INVALID_HANDLE, psa_import_key(key_handle, key_type, + key_data, sizeof(key_data))); + + /* via test partition - import key data for the key created by the test partition */ + TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_import_key(key_handle, key_type, key_data, sizeof(key_data))); + + /* via test partition - close the key created by the test partition */ + TEST_ASSERT_EQUAL(PSA_SUCCESS, test_partition_crypto_close_key(key_handle)); +} + utest::v1::status_t case_setup_handler(const Case *const source, const size_t index_of_case) { psa_status_t status = mbed_psa_reboot_and_request_new_security_state(PSA_LIFECYCLE_ASSEMBLY_AND_TEST); @@ -192,6 +266,8 @@ Case cases[] = { case_setup_handler, test_open_other_partition_key, case_teardown_handler), Case("create key with same id different partitions", case_setup_handler, test_create_key_same_id_different_partitions, case_teardown_handler), + Case("use other partitions' key - key manage", + case_setup_handler, test_use_other_partition_key_manage_key, case_teardown_handler), }; Specification specification(test_setup, cases); diff --git a/TESTS/psa/crypto_access_control/COMPONENT_PSA_SRV_IPC/test_partition_proxy.c b/TESTS/psa/crypto_access_control/COMPONENT_PSA_SRV_IPC/test_partition_proxy.c index 7d7c2fb524..b2e10695fb 100644 --- a/TESTS/psa/crypto_access_control/COMPONENT_PSA_SRV_IPC/test_partition_proxy.c +++ b/TESTS/psa/crypto_access_control/COMPONENT_PSA_SRV_IPC/test_partition_proxy.c @@ -117,3 +117,16 @@ psa_status_t test_partition_crypto_destroy_key(psa_key_handle_t key_handle) psa_status_t status = invoke_ipc_call(CRYPTO_DESTROY_KEY, &in_vec, 1, NULL, 0); return (status); } + +psa_status_t test_partition_crypto_import_key(psa_key_handle_t key_handle, psa_key_type_t key_type, + const unsigned char *key_data, size_t key_data_size) +{ + psa_invec in_vec[4] = { + { &key_handle, sizeof(key_handle) }, + { &key_type, sizeof(key_type) }, + { &key_data_size, sizeof(key_data_size) }, + { key_data, key_data_size } + }; + psa_status_t status = invoke_ipc_call(CRYPTO_IMPORT_KEY, in_vec, 4, NULL, 0); + return (status); +} diff --git a/TESTS/psa/crypto_access_control/COMPONENT_PSA_SRV_IPC/test_partition_proxy.h b/TESTS/psa/crypto_access_control/COMPONENT_PSA_SRV_IPC/test_partition_proxy.h index 161d09a6b9..fe4aa22387 100644 --- a/TESTS/psa/crypto_access_control/COMPONENT_PSA_SRV_IPC/test_partition_proxy.h +++ b/TESTS/psa/crypto_access_control/COMPONENT_PSA_SRV_IPC/test_partition_proxy.h @@ -43,6 +43,9 @@ psa_status_t test_partition_crypto_close_key(psa_key_handle_t key_handle); psa_status_t test_partition_crypto_destroy_key(psa_key_handle_t key_handle); +psa_status_t test_partition_crypto_import_key(psa_key_handle_t key_handle, psa_key_type_t key_type, + const unsigned char *key_data, size_t key_data_size); + #ifdef __cplusplus } #endif diff --git a/TESTS/psa/crypto_access_control/COMPONENT_SPE/TARGET_MBED_SPM/psa_test_partition_partition.c b/TESTS/psa/crypto_access_control/COMPONENT_SPE/TARGET_MBED_SPM/psa_test_partition_partition.c index 6f9dc1504d..268b752460 100644 --- a/TESTS/psa/crypto_access_control/COMPONENT_SPE/TARGET_MBED_SPM/psa_test_partition_partition.c +++ b/TESTS/psa/crypto_access_control/COMPONENT_SPE/TARGET_MBED_SPM/psa_test_partition_partition.c @@ -149,6 +149,18 @@ spm_rot_service_t test_partition_rot_services[TEST_PARTITION_ROT_SRV_COUNT] = { .tail = NULL } }, + { + .sid = CRYPTO_IMPORT_KEY, + .mask = CRYPTO_IMPORT_KEY_MSK, + .partition = NULL, + .min_version = 1, + .min_version_policy = PSA_MINOR_VERSION_POLICY_RELAXED, + .allow_nspe = true, + .queue = { + .head = NULL, + .tail = NULL + } + }, }; /* External SIDs used by TEST_PARTITION */ diff --git a/TESTS/psa/crypto_access_control/COMPONENT_SPE/psa_test_partition_partition.h b/TESTS/psa/crypto_access_control/COMPONENT_SPE/psa_test_partition_partition.h index a43f9408ba..7744b75e2d 100644 --- a/TESTS/psa/crypto_access_control/COMPONENT_SPE/psa_test_partition_partition.h +++ b/TESTS/psa/crypto_access_control/COMPONENT_SPE/psa_test_partition_partition.h @@ -28,7 +28,7 @@ #define TEST_PARTITION_ID 128 -#define TEST_PARTITION_ROT_SRV_COUNT (8UL) +#define TEST_PARTITION_ROT_SRV_COUNT (9UL) #define TEST_PARTITION_EXT_ROT_SRV_COUNT (1UL) /* TEST_PARTITION event flags */ @@ -56,6 +56,8 @@ #define CRYPTO_GET_KEY_INFO_MSK (1UL << CRYPTO_GET_KEY_INFO_MSK_POS) #define CRYPTO_GET_KEY_POLICY_MSK_POS (11UL) #define CRYPTO_GET_KEY_POLICY_MSK (1UL << CRYPTO_GET_KEY_POLICY_MSK_POS) +#define CRYPTO_IMPORT_KEY_MSK_POS (12UL) +#define CRYPTO_IMPORT_KEY_MSK (1UL << CRYPTO_IMPORT_KEY_MSK_POS) #define TEST_PARTITION_WAIT_ANY_SID_MSK (\ CRYPTO_CREATE_PERSISTENT_KEY_MSK | \ @@ -65,7 +67,8 @@ CRYPTO_SET_KEY_POLICY_MSK | \ CRYPTO_DESTROY_KEY_MSK | \ CRYPTO_GET_KEY_INFO_MSK | \ - CRYPTO_GET_KEY_POLICY_MSK) + CRYPTO_GET_KEY_POLICY_MSK | \ + CRYPTO_IMPORT_KEY_MSK) #endif // PSA_TEST_PARTITION_PARTITION_H diff --git a/TESTS/psa/crypto_access_control/COMPONENT_SPE/test_partition.c b/TESTS/psa/crypto_access_control/COMPONENT_SPE/test_partition.c index 6b80489acf..3605593151 100644 --- a/TESTS/psa/crypto_access_control/COMPONENT_SPE/test_partition.c +++ b/TESTS/psa/crypto_access_control/COMPONENT_SPE/test_partition.c @@ -15,6 +15,7 @@ * limitations under the License. */ +#include #include "psa_test_partition_partition.h" #include "psa/service.h" #include "psa/client.h" @@ -147,6 +148,29 @@ static psa_status_t crypto_get_key_policy(psa_msg_t *msg) return (status); } +static psa_status_t crypto_import_key(psa_msg_t *msg) +{ + psa_status_t status; + psa_key_handle_t key_handle; + psa_key_type_t key_type; + size_t key_data_size; + unsigned char *key_data = NULL; + + read_input_param_from_message(msg, 0, &key_handle); + read_input_param_from_message(msg, 1, &key_type); + read_input_param_from_message(msg, 2, &key_data_size); + + key_data = calloc(1, key_data_size); + if (key_data == NULL) { + return (PSA_ERROR_INSUFFICIENT_MEMORY); + } + + read_input_param_from_message(msg, 3, key_data); + + status = psa_import_key(key_handle, key_type, key_data, key_data_size); + return (status); +} + static void message_handler(psa_msg_t *msg, SignalHandler handler) { psa_status_t status = 0; @@ -207,5 +231,9 @@ void test_partition_main(void) psa_get(CRYPTO_GET_KEY_POLICY_MSK, &msg); message_handler(&msg, crypto_get_key_policy); } + if (signal & CRYPTO_IMPORT_KEY_MSK) { + psa_get(CRYPTO_IMPORT_KEY_MSK, &msg); + message_handler(&msg, crypto_import_key); + } } } diff --git a/TESTS/psa/crypto_access_control/crypto_acl_test_partition_psa.json b/TESTS/psa/crypto_access_control/crypto_acl_test_partition_psa.json index a9baf7f27c..da82a7c333 100644 --- a/TESTS/psa/crypto_access_control/crypto_acl_test_partition_psa.json +++ b/TESTS/psa/crypto_access_control/crypto_acl_test_partition_psa.json @@ -70,6 +70,14 @@ "non_secure_clients": true, "minor_version": 1, "minor_policy": "RELAXED" + }, + { + "name": "CRYPTO_IMPORT_KEY", + "identifier": "0x00000208", + "signal": "CRYPTO_IMPORT_KEY_MSK", + "non_secure_clients": true, + "minor_version": 1, + "minor_policy": "RELAXED" } ], "extern_sids": [ diff --git a/TESTS/psa/crypto_access_control/psa_test_partition_ifs.h b/TESTS/psa/crypto_access_control/psa_test_partition_ifs.h index b1464ff44b..2fd628245c 100644 --- a/TESTS/psa/crypto_access_control/psa_test_partition_ifs.h +++ b/TESTS/psa/crypto_access_control/psa_test_partition_ifs.h @@ -34,5 +34,6 @@ #define CRYPTO_DESTROY_KEY 0x00000205 #define CRYPTO_GET_KEY_INFO 0x00000206 #define CRYPTO_GET_KEY_POLICY 0x00000207 +#define CRYPTO_IMPORT_KEY 0x00000208 #endif // PSA_TEST_PARTITION_PARTITION_ROT_SERVICES_H