1 /*
2 * Copyright (C) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <gtest/gtest.h>
17 #include <string>
18 #include <vector>
19
20 #include <stdlib.h>
21 #include <sys/wait.h>
22 #include <unistd.h>
23
24 #include "directory_ex.h"
25 #include "fbex.h"
26 #include "file_ex.h"
27 #include "fscrypt_key_v1_ext.h"
28 #include "fscrypt_key_v1.h"
29 #include "fscrypt_key_v2.h"
30 #include "huks_master.h"
31 #include "key_blob.h"
32 #include "key_manager.h"
33 #include "libfscrypt/fscrypt_control.h"
34 #include "libfscrypt/fscrypt_sysparam.h"
35 #include "libfscrypt/fscrypt_utils.h"
36 #include "libfscrypt/key_control.h"
37 #include "securec.h"
38
39 using namespace testing::ext;
40 using namespace OHOS::StorageDaemon;
41
42 namespace {
43 const std::string TEST_MNT = "/data";
44 const std::string TEST_DIR_LEGACY = "/data/test/crypto_dir_legacy";
45 const std::string TEST_DIR_V2 = "/data/test/crypto_dir";
46 const std::string TEST_KEYPATH = "/data/test/key/el2/80";
47 const std::string TEST_KEYPATH_BAD = "/sys/test/keypath";
48 const std::string TEST_KEYDIR_VERSION0 = "/version_0";
49 const std::string TEST_KEYDIR_VERSION1 = "/version_1";
50 const std::string TEST_KEYDIR_VERSION2 = "/version_2";
51 const std::string TEST_KEYDIR_LATEST = "/latest";
52 const std::string TEST_KEYDIR_LATEST_BACKUP = "/latest_bak";
53 const std::string TEST_POLICY = "/data/test/policy";
54 const std::string USER_KEY_DIR = "/data/service/el1/public/storage_daemon/sd";
55 const std::string USER_KEY_EL1_DIR = USER_KEY_DIR + "/el1";
56 const std::string USER_KEY_EL2_DIR = USER_KEY_DIR + "/el2";
57 FscryptKeyV1 g_testKeyV1 {TEST_KEYPATH};
58 FscryptKeyV2 g_testKeyV2 {TEST_KEYPATH};
59 }
60
61 class CryptoKeyTest : public testing::Test {
62 public:
63 static void SetUpTestCase(void);
64 static void TearDownTestCase(void);
65 static int32_t ExecSdcBinary(std::vector<std::string> params, int isCrypt);
66 void SetUp();
67 void TearDown();
68 UserAuth emptyUserAuth {};
69 };
70
SetUpTestCase(void)71 void CryptoKeyTest::SetUpTestCase(void)
72 {
73 // input testsuit setup step,setup invoked before all testcases
74 }
75
TearDownTestCase(void)76 void CryptoKeyTest::TearDownTestCase(void)
77 {
78 // input testsuit teardown step,teardown invoked after all testcases
79 }
80
SetUp(void)81 void CryptoKeyTest::SetUp(void)
82 {
83 // input testcase setup step,setup invoked before each testcases
84 }
85
TearDown(void)86 void CryptoKeyTest::TearDown(void)
87 {
88 // input testcase teardown step,teardown invoked after each testcases
89 }
90
ExecSdcBinary(std::vector<std::string> params,int isCrypt)91 int32_t CryptoKeyTest::ExecSdcBinary(std::vector<std::string> params, int isCrypt)
92 {
93 pid_t pid = fork();
94 if (pid < 0) {
95 return -EINVAL;
96 }
97 if (pid == 0) {
98 int ret = -EINVAL;
99 if (!isCrypt) {
100 char * const argv[] = {
101 (char *)"/system/bin/sdc",
102 (char *)"nullcmd",
103 NULL
104 };
105 ret = execv(argv[0], argv);
106 } else if (params.size() == 0) {
107 char * const argv[] = {
108 (char *)"/system/bin/sdc",
109 NULL
110 };
111 ret = execv(argv[0], argv);
112 } else if (params.size() == 1) {
113 char * const argv[] = {
114 (char *)"/system/bin/sdc",
115 (char *)"filecrypt",
116 (char *)params[0].c_str(),
117 NULL
118 };
119 ret = execv(argv[0], argv);
120 } else if (params.size() == 2) {
121 char * const argv[] = {
122 (char *)"/system/bin/sdc",
123 (char *)"filecrypt",
124 (char *)params[0].c_str(),
125 (char *)params[1].c_str(),
126 NULL
127 };
128 ret = execv(argv[0], argv);
129 } else if (params.size() == 3) {
130 char * const argv[] = {
131 (char *)"/system/bin/sdc",
132 (char *)"filecrypt",
133 (char *)params[0].c_str(),
134 (char *)params[1].c_str(),
135 (char *)params[2].c_str(),
136 NULL
137 };
138 ret = execv(argv[0], argv);
139 } else if (params.size() == 4) {
140 char * const argv[] = {
141 (char *)"/system/bin/sdc",
142 (char *)"filecrypt",
143 (char *)params[0].c_str(),
144 (char *)params[1].c_str(),
145 (char *)params[2].c_str(),
146 (char *)params[3].c_str(),
147 NULL
148 };
149 ret = execv(argv[0], argv);
150 }
151 if (ret) {
152 return -EINVAL;
153 }
154 }
155 int status;
156 pid_t ret = waitpid(pid, &status, 0);
157 if (ret != pid) {
158 return -EINVAL;
159 }
160
161 return 0;
162 }
163
164 /**
165 * @tc.name: fscrypt_key_v1_init
166 * @tc.desc: Verify the InitKey function.
167 * @tc.type: FUNC
168 * @tc.require: AR000GK0BP
169 */
170 HWTEST_F(CryptoKeyTest, fscrypt_key_v1_init, TestSize.Level1)
171 {
172 EXPECT_TRUE(g_testKeyV1.InitKey());
173 EXPECT_FALSE(g_testKeyV1.InitKey()); // rawkey not empty
174
175 EXPECT_EQ(FSCRYPT_V1, g_testKeyV1.keyInfo_.version);
176 EXPECT_EQ(CRYPTO_AES_256_XTS_KEY_SIZE, g_testKeyV1.keyInfo_.key.size);
177 EXPECT_NE(nullptr, g_testKeyV1.keyInfo_.key.data.get());
178 g_testKeyV1.keyInfo_.key.Clear();
179 }
180
181 /**
182 * @tc.name: fscrypt_key_v2_init
183 * @tc.desc: Verify the InitKey function.
184 * @tc.type: FUNC
185 * @tc.require: AR000GK0BP
186 */
187 HWTEST_F(CryptoKeyTest, fscrypt_key_v2_init, TestSize.Level1)
188 {
189 #ifdef SUPPORT_FSCRYPT_V2
190 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) == FSCRYPT_V1) {
191 return;
192 }
193 EXPECT_TRUE(g_testKeyV2.InitKey());
194 EXPECT_EQ(FSCRYPT_V2, g_testKeyV2.keyInfo_.version);
195 EXPECT_EQ(CRYPTO_AES_256_XTS_KEY_SIZE, g_testKeyV2.keyInfo_.key.size);
196 EXPECT_NE(nullptr, g_testKeyV2.keyInfo_.key.data.get());
197 g_testKeyV2.keyInfo_.key.Clear();
198 #else
199 EXPECT_FALSE(g_testKeyV2.InitKey());
200 EXPECT_FALSE(g_testKeyV2.ActiveKey());
201 EXPECT_FALSE(g_testKeyV2.InactiveKey());
202 #endif
203 }
204
205 /**
206 * @tc.name: fscrypt_key_v1_store
207 * @tc.desc: Verify the StoreKey function.
208 * @tc.type: FUNC
209 * @tc.require: AR000GK0BP
210 */
211 HWTEST_F(CryptoKeyTest, fscrypt_key_v1_store, TestSize.Level1)
212 {
213 #ifndef CRYPTO_TEST
214 EXPECT_TRUE(g_testKeyV1.InitKey());
215 g_testKeyV1.StoreKey(emptyUserAuth);
216
217 std::string buf {};
218 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD);
219 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD, buf);
220
221 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SECDISC);
222 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SECDISC, buf);
223
224 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_ENCRYPTED);
225 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_ENCRYPTED, buf);
226 #else
227 EXPECT_TRUE(g_testKeyV1.InitKey());
228 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
229
230 std::string buf {};
231 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD));
232 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD, buf));
233
234 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SECDISC));
235 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SECDISC, buf));
236 EXPECT_EQ(CRYPTO_KEY_SECDISC_SIZE, buf.size());
237
238 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_ENCRYPTED));
239 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_ENCRYPTED, buf));
240 // the plaintext of 64 bytes, encrypted to 80 bytes size by huks.
241 EXPECT_EQ(80U, buf.size());
242 #endif
243 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + PATH_FSCRYPT_VER));
244 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + PATH_FSCRYPT_VER, buf));
245 EXPECT_EQ(1U, buf.length());
246 EXPECT_EQ('1', buf[0]);
247
248 FscryptKeyV1 g_testKeyV1BadDir {TEST_KEYPATH_BAD};
249 EXPECT_TRUE(g_testKeyV1BadDir.InitKey());
250 EXPECT_FALSE(g_testKeyV1BadDir.StoreKey(emptyUserAuth));
251 EXPECT_FALSE(g_testKeyV1BadDir.UpdateKey());
252 EXPECT_FALSE(g_testKeyV1BadDir.ActiveKey());
253 }
254
255 #ifdef SUPPORT_FSCRYPT_V2
256 /**
257 * @tc.name: fscrypt_key_v2_store
258 * @tc.desc: Verify the StoreKey function.
259 * @tc.type: FUNC
260 * @tc.require: AR000GK0BP
261 */
262 HWTEST_F(CryptoKeyTest, fscrypt_key_v2_store, TestSize.Level1)
263 {
264 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) == FSCRYPT_V1) {
265 return;
266 }
267 g_testKeyV2.ClearKey();
268 EXPECT_TRUE(g_testKeyV2.InitKey());
269 EXPECT_TRUE(g_testKeyV2.StoreKey(emptyUserAuth));
270 EXPECT_TRUE(g_testKeyV2.StoreKey(emptyUserAuth));
271
272 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD));
273 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SECDISC));
274 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_ENCRYPTED));
275 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_SHIELD));
276 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_SECDISC));
277 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_ENCRYPTED));
278
279 std::string buf {};
280 OHOS::LoadStringFromFile(TEST_KEYPATH + PATH_FSCRYPT_VER, buf);
281 EXPECT_EQ(1U, buf.length());
282 EXPECT_EQ('2', buf[0]);
283 }
284
285 /**
286 * @tc.name: fscrypt_key_v2_update
287 * @tc.desc: Verify the UpdateKey function.
288 * @tc.type: FUNC
289 * @tc.require: AR000GK0BP
290 */
291 HWTEST_F(CryptoKeyTest, fscrypt_key_v2_update, TestSize.Level1)
292 {
293 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) == FSCRYPT_V1) {
294 return;
295 }
296 std::string buf {};
297 EXPECT_TRUE(g_testKeyV2.UpdateKey());
298
299 EXPECT_FALSE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD));
300 EXPECT_FALSE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_SHIELD));
301 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SHIELD));
302 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SECDISC));
303 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_ENCRYPTED));
304 OHOS::LoadStringFromFile(TEST_KEYPATH + PATH_FSCRYPT_VER, buf);
305 EXPECT_EQ(1U, buf.length());
306 EXPECT_EQ('2', buf[0]);
307 }
308
309 /**
310 * @tc.name: fscrypt_key_v1_restore_fail_wrong_version
311 * @tc.desc: Verify the RestoreKey function.
312 * @tc.type: FUNC
313 * @tc.require: AR000GK0BP
314 */
315 HWTEST_F(CryptoKeyTest, fscrypt_key_v1_restore_fail_wrong_version, TestSize.Level1)
316 {
317 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) == FSCRYPT_V1) {
318 return;
319 }
320 g_testKeyV1.keyInfo_.key.Clear();
321 // the version loaded is v2, not expected v1.
322 EXPECT_FALSE(g_testKeyV1.RestoreKey(emptyUserAuth));
323 }
324 #endif
325
326 /**
327 * @tc.name: fscrypt_key_v1_restore
328 * @tc.desc: Verify the RestoreKey function.
329 * @tc.type: FUNC
330 * @tc.require: AR000GK0BP
331 */
332 HWTEST_F(CryptoKeyTest, fscrypt_key_v1_restore, TestSize.Level1)
333 {
334 g_testKeyV1.ClearKey();
335 EXPECT_TRUE(g_testKeyV1.InitKey());
336 #ifndef CRYPTO_TEST
337 g_testKeyV1.StoreKey(emptyUserAuth);
338 g_testKeyV1.UpdateKey();
339 g_testKeyV1.RestoreKey(emptyUserAuth);
340
341 EXPECT_EQ(CRYPTO_AES_256_XTS_KEY_SIZE, g_testKeyV1.keyInfo_.key.size);
342 EXPECT_NE(nullptr, g_testKeyV1.keyInfo_.key.data.get());
343 EXPECT_EQ(FSCRYPT_V1, g_testKeyV1.keyInfo_.version);
344 OHOS::SaveStringToFile(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SECDISC, "bad secdesc");
345 #else
346 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
347 EXPECT_TRUE(g_testKeyV1.UpdateKey());
348 EXPECT_TRUE(g_testKeyV1.RestoreKey(emptyUserAuth));
349
350 EXPECT_EQ(CRYPTO_AES_256_XTS_KEY_SIZE, g_testKeyV1.keyInfo_.key.size);
351 EXPECT_NE(nullptr, g_testKeyV1.keyInfo_.key.data.get());
352 EXPECT_EQ(FSCRYPT_V1, g_testKeyV1.keyInfo_.version);
353 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SECDISC, "bad secdesc"));
354 #endif
355 EXPECT_FALSE(g_testKeyV1.RestoreKey(emptyUserAuth)); // should decrypt failed
356 remove(std::string(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SECDISC).c_str());
357 EXPECT_FALSE(g_testKeyV1.RestoreKey(emptyUserAuth));
358 remove(std::string(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SHIELD).c_str());
359 EXPECT_FALSE(g_testKeyV1.RestoreKey(emptyUserAuth));
360 remove(std::string(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_ENCRYPTED).c_str());
361 EXPECT_FALSE(g_testKeyV1.RestoreKey(emptyUserAuth));
362 remove(std::string(TEST_KEYPATH + "/fscrypt_version").c_str());
363 EXPECT_FALSE(g_testKeyV1.RestoreKey(emptyUserAuth));
364 }
365
366 /**
367 * @tc.name: fscrypt_key_v1_active
368 * @tc.desc: Verify the ActiveKey function of v1 key.
369 * @tc.type: FUNC
370 * @tc.require: AR000GK0BP
371 */
372 HWTEST_F(CryptoKeyTest, fscrypt_key_v1_active, TestSize.Level1)
373 {
374 g_testKeyV1.ClearKey();
375 EXPECT_FALSE(g_testKeyV1.ActiveKey()); // active empty key should fail
376 EXPECT_TRUE(g_testKeyV1.InitKey());
377 #ifndef CRYPTO_TEST
378 g_testKeyV1.StoreKey(emptyUserAuth);
379 #else
380 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
381 #endif
382 EXPECT_FALSE(g_testKeyV1.keyInfo_.key.IsEmpty());
383 EXPECT_EQ(FSCRYPT_V1, g_testKeyV1.keyInfo_.version);
384
385 EXPECT_TRUE(g_testKeyV1.ActiveKey(FIRST_CREATE_KEY));
386 // raw key should be erase after install to kernel.
387 EXPECT_FALSE(g_testKeyV1.keyInfo_.key.IsEmpty());
388 EXPECT_TRUE(g_testKeyV1.keyInfo_.keyId.IsEmpty());
389 // key desc saved in memory for later clear key.
390 EXPECT_FALSE(g_testKeyV1.keyInfo_.keyDesc.IsEmpty());
391
392 // v1 key installed, and key_desc was saved on disk.
393 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + PATH_KEYDESC));
394
395 FscryptKeyV1 g_testKeyV1BadLen {TEST_KEYPATH, CRYPTO_AES_256_XTS_KEY_SIZE * 2};
396 EXPECT_TRUE(g_testKeyV1BadLen.InitKey());
397 EXPECT_FALSE(g_testKeyV1BadLen.InactiveKey());
398 EXPECT_FALSE(g_testKeyV1BadLen.ActiveKey());
399 }
400
401 /**
402 * @tc.name: fscrypt_key_v1_clear
403 * @tc.desc: Verify the ClearKey function.
404 * @tc.type: FUNC
405 * @tc.require: AR000GK0BP
406 */
407 HWTEST_F(CryptoKeyTest, fscrypt_key_v1_clear, TestSize.Level1)
408 {
409 EXPECT_TRUE(g_testKeyV1.ClearKey());
410 EXPECT_TRUE(g_testKeyV1.keyInfo_.key.IsEmpty());
411 EXPECT_FALSE(OHOS::FileExists(TEST_KEYPATH + PATH_KEYDESC));
412 EXPECT_FALSE(OHOS::FileExists(TEST_KEYPATH + PATH_FSCRYPT_VER));
413 EXPECT_FALSE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SHIELD));
414 }
415
416 /**
417 * @tc.name: fscrypt_key_v1_policy_set
418 * @tc.desc: Verify the fscrypt V1 KeyCtrl::SetPolicy function.
419 * @tc.type: FUNC
420 * @tc.require: AR000GK0BO
421 */
422 HWTEST_F(CryptoKeyTest, fscrypt_key_v1_policy_set, TestSize.Level1)
423 {
424 EXPECT_TRUE(g_testKeyV1.InitKey());
425 #ifndef CRYPTO_TEST
426 g_testKeyV1.StoreKey(emptyUserAuth);
427 #else
428 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
429 #endif
430 EXPECT_TRUE(g_testKeyV1.ActiveKey(FIRST_CREATE_KEY));
431
432 FscryptPolicy arg;
433 (void)memset_s(&arg, sizeof(arg), 0, sizeof(arg));
434 arg.v1.version = FSCRYPT_POLICY_V1;
435 (void)memcpy_s(arg.v1.master_key_descriptor, FSCRYPT_KEY_DESCRIPTOR_SIZE, g_testKeyV1.keyInfo_.keyDesc.data.get(),
436 g_testKeyV1.keyInfo_.keyDesc.size);
437 arg.v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS;
438 arg.v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS;
439 arg.v1.flags = FSCRYPT_POLICY_FLAGS_PAD_32;
440 // Default to maximum zero-padding to leak less info about filename lengths.
441 OHOS::ForceRemoveDirectory(TEST_DIR_LEGACY);
442 EXPECT_TRUE(OHOS::ForceCreateDirectory(TEST_DIR_LEGACY));
443 EXPECT_TRUE(KeyCtrlSetPolicy(TEST_DIR_LEGACY.c_str(), &arg));
444
445 EXPECT_TRUE(OHOS::ForceCreateDirectory(TEST_DIR_LEGACY + "/test_dir"));
446 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_LEGACY + "/test_file1", "hello, world!\n"));
447 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_LEGACY + "/test_file2", "AA"));
448 }
449
450 /**
451 * @tc.name: fscrypt_key_v1_policy_get
452 * @tc.desc: Verify the fscrypt V1 KeyCtrl::GetPolicy function.
453 * @tc.type: FUNC
454 * @tc.require: AR000GK0BO
455 */
456 HWTEST_F(CryptoKeyTest, fscrypt_key_v1_policy_get, TestSize.Level1)
457 {
458 struct fscrypt_policy arg;
459 (void)memset_s(&arg, sizeof(arg), 0, sizeof(arg));
460 EXPECT_TRUE(KeyCtrlGetPolicy(TEST_DIR_LEGACY.c_str(), &arg));
461 EXPECT_EQ(FSCRYPT_POLICY_V1, arg.version);
462
463 std::string testDir = TEST_DIR_LEGACY + "/test_dir";
464 (void)memset_s(&arg, sizeof(arg), 0, sizeof(arg));
465 EXPECT_TRUE(KeyCtrlGetPolicy(testDir.c_str(), &arg));
466 EXPECT_EQ(FSCRYPT_POLICY_V1, arg.version);
467
468 EXPECT_FALSE(KeyCtrlGetPolicy(NULL, NULL));
469 EXPECT_FALSE(KeyCtrlGetPolicy(testDir.c_str(), NULL));
470 }
471
472 /**
473 * @tc.name: fscrypt_key_v1_key_inactive
474 * @tc.desc: Verify the FscryptKeyV1 InactiveKey function.
475 * @tc.type: FUNC
476 * @tc.require: AR000GK0BO
477 */
478 HWTEST_F(CryptoKeyTest, fscrypt_key_v1_key_inactive, TestSize.Level1)
479 {
480 EXPECT_TRUE(g_testKeyV1.InactiveKey(USER_DESTROY));
481
482 #ifdef SUPPORT_FSCRYPT_V2
483 EXPECT_FALSE(OHOS::ForceCreateDirectory(TEST_DIR_LEGACY + "/test_dir1"));
484 EXPECT_FALSE(OHOS::SaveStringToFile(TEST_DIR_LEGACY + "/test_file3", "AAA"));
485 // earlier kernels may have different behaviour.
486 #endif
487 }
488
489 #ifdef SUPPORT_FSCRYPT_V2
490 /**
491 * @tc.name: fscrypt_key_v2_active
492 * @tc.desc: Verify the fscrypt V2 active function.
493 * @tc.type: FUNC
494 * @tc.require: AR000GK0BP
495 */
496 HWTEST_F(CryptoKeyTest, fscrypt_key_v2_active, TestSize.Level1)
497 {
498 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) == FSCRYPT_V1) {
499 return;
500 }
501 g_testKeyV2.ClearKey();
502 EXPECT_TRUE(g_testKeyV2.InitKey());
503 EXPECT_TRUE(g_testKeyV2.StoreKey(emptyUserAuth));
504 EXPECT_TRUE(g_testKeyV2.ActiveKey());
505
506 // raw key should be erase after install to kernel.
507 EXPECT_TRUE(g_testKeyV2.keyInfo_.key.IsEmpty());
508 EXPECT_TRUE(g_testKeyV2.keyInfo_.keyDesc.IsEmpty());
509 EXPECT_EQ(static_cast<unsigned int>(FSCRYPT_KEY_IDENTIFIER_SIZE), g_testKeyV2.keyInfo_.keyId.size);
510 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + PATH_KEYID));
511 }
512
513 /**
514 * @tc.name: fscrypt_key_v2_policy_set
515 * @tc.desc: Verify the fscrypt V2 setpolicy function.
516 * @tc.type: FUNC
517 * @tc.require: AR000GK0BO
518 */
519 HWTEST_F(CryptoKeyTest, fscrypt_key_v2_policy_set, TestSize.Level1)
520 {
521 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) == FSCRYPT_V1) {
522 return;
523 }
524 EXPECT_EQ(FSCRYPT_V2, g_testKeyV2.keyInfo_.version);
525 FscryptPolicy arg;
526 (void)memset_s(&arg, sizeof(arg), 0, sizeof(arg));
527 arg.v2.version = FSCRYPT_POLICY_V2;
528 (void)memcpy_s(arg.v2.master_key_identifier, FSCRYPT_KEY_IDENTIFIER_SIZE, g_testKeyV2.keyInfo_.keyId.data.get(),
529 g_testKeyV2.keyInfo_.keyId.size);
530 arg.v2.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS;
531 arg.v2.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS;
532 arg.v2.flags = FSCRYPT_POLICY_FLAGS_PAD_32;
533 // Default to maximum zero-padding to leak less info about filename lengths.
534 OHOS::ForceRemoveDirectory(TEST_DIR_V2);
535 EXPECT_TRUE(OHOS::ForceCreateDirectory(TEST_DIR_V2));
536 EXPECT_TRUE(KeyCtrlSetPolicy(TEST_DIR_V2.c_str(), &arg));
537
538 EXPECT_TRUE(OHOS::ForceCreateDirectory(TEST_DIR_V2 + "/test_dir"));
539 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_V2 + "/test_file1", "hello, world!\n"));
540 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_V2 + "/test_file2", "AA"));
541 }
542
543 /**
544 * @tc.name: fscrypt_key_v2_policy_get
545 * @tc.desc: Verify the fscrypt V2 getpolicy function.
546 * @tc.type: FUNC
547 * @tc.require: AR000GK0BO
548 */
549 HWTEST_F(CryptoKeyTest, fscrypt_key_v2_policy_get, TestSize.Level1)
550 {
551 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) == FSCRYPT_V1) {
552 return;
553 }
554 struct fscrypt_get_policy_ex_arg arg;
555 (void)memset_s(&arg, sizeof(arg), 0, sizeof(arg));
556 arg.policy_size = sizeof(arg.policy);
557 EXPECT_TRUE(KeyCtrlGetPolicyEx(TEST_DIR_V2.c_str(), &arg));
558 EXPECT_EQ(FSCRYPT_POLICY_V2, arg.policy.version);
559
560 (void)memset_s(&arg, sizeof(arg), 0, sizeof(arg));
561 arg.policy_size = sizeof(arg.policy);
562 std::string testDir = TEST_DIR_V2 + "/test_dir";
563 EXPECT_TRUE(KeyCtrlGetPolicyEx(testDir.c_str(), &arg));
564 EXPECT_EQ(FSCRYPT_POLICY_V2, arg.policy.version);
565 }
566
567 /**
568 * @tc.name: fscrypt_key_v2_policy_inactive
569 * @tc.desc: Verify the fscryptV2 InactiveKey function.
570 * @tc.type: FUNC
571 * @tc.require: AR000GK0BP
572 */
573 HWTEST_F(CryptoKeyTest, fscrypt_key_v2_policy_inactive, TestSize.Level1)
574 {
575 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) == FSCRYPT_V1) {
576 return;
577 }
578 EXPECT_TRUE(g_testKeyV2.InactiveKey());
579 // When the v2 policy removed, the files are encrypted.
580 EXPECT_FALSE(OHOS::FileExists(TEST_DIR_V2 + "/test_dir"));
581 EXPECT_FALSE(OHOS::FileExists(TEST_DIR_V2 + "/test_file1"));
582 EXPECT_FALSE(OHOS::FileExists(TEST_DIR_V2 + "/test_file2"));
583 }
584
585 /**
586 * @tc.name: fscrypt_key_v2_policy_restore
587 * @tc.desc: Verify the fscrypt V2 restore and decrypt.
588 * @tc.type: FUNC
589 * @tc.require: AR000GK0BP
590 */
591 HWTEST_F(CryptoKeyTest, fscrypt_key_v2_policy_restore, TestSize.Level1)
592 {
593 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) == FSCRYPT_V1) {
594 return;
595 }
596 EXPECT_TRUE(g_testKeyV2.RestoreKey(emptyUserAuth));
597 EXPECT_EQ(FSCRYPT_V2, g_testKeyV2.keyInfo_.version);
598 EXPECT_TRUE(g_testKeyV2.ActiveKey());
599
600 // the files is decrypted now
601 EXPECT_TRUE(OHOS::FileExists(TEST_DIR_V2 + "/test_dir"));
602 EXPECT_TRUE(OHOS::FileExists(TEST_DIR_V2 + "/test_file1"));
603 EXPECT_TRUE(OHOS::FileExists(TEST_DIR_V2 + "/test_file2"));
604
605 EXPECT_TRUE(g_testKeyV2.ClearKey());
606 }
607
608 /**
609 * @tc.name: fscrypt_key_v2_load_and_set_policy_default
610 * @tc.desc: Verify the KeyCtrl::LoadAndSetPolicy function.
611 * @tc.type: FUNC
612 * @tc.require: AR000GK0BO
613 */
614 HWTEST_F(CryptoKeyTest, fscrypt_key_v2_load_and_set_policy_default, TestSize.Level1)
615 {
616 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) == FSCRYPT_V1) {
617 return;
618 }
619 g_testKeyV2.ClearKey();
620 EXPECT_TRUE(g_testKeyV2.InitKey());
621 EXPECT_TRUE(g_testKeyV2.StoreKey(emptyUserAuth));
622 EXPECT_TRUE(g_testKeyV2.ActiveKey());
623
624 EXPECT_EQ(0, SetFscryptSysparam("2:aes-256-cts:aes-256-xts"));
625 EXPECT_EQ(0, InitFscryptPolicy());
626
627 OHOS::ForceRemoveDirectory(TEST_DIR_V2);
628 OHOS::ForceCreateDirectory(TEST_DIR_V2);
629 EXPECT_EQ(0, LoadAndSetPolicy(g_testKeyV2.GetDir().c_str(), TEST_DIR_V2.c_str()));
630
631 EXPECT_TRUE(OHOS::ForceCreateDirectory(TEST_DIR_V2 + "/test_dir"));
632 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_V2 + "/test_file1", "hello, world!\n"));
633 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_V2 + "/test_file2", "AA"));
634 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_V2 + "/111111111111111111111111111111111111111111111111", "AA"));
635
636 EXPECT_TRUE(g_testKeyV2.ClearKey());
637 }
638 #endif
639
640 /**
641 * @tc.name: fscrypt_key_v1_load_and_set_policy_default
642 * @tc.desc: Verify the fscrypt V1 setpolicy function.
643 * @tc.type: FUNC
644 * @tc.require: AR000GK0BO
645 */
646 HWTEST_F(CryptoKeyTest, fscrypt_key_v1_load_and_set_policy_default, TestSize.Level1)
647 {
648 g_testKeyV1.ClearKey();
649 EXPECT_TRUE(g_testKeyV1.InitKey());
650 #ifndef CRYPTO_TEST
651 g_testKeyV1.StoreKey(emptyUserAuth);
652 #else
653 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
654 #endif
655 EXPECT_TRUE(g_testKeyV1.ActiveKey(FIRST_CREATE_KEY));
656
657 EXPECT_EQ(0, SetFscryptSysparam("1:aes-256-cts:aes-256-xts"));
658 EXPECT_EQ(0, InitFscryptPolicy());
659
660 OHOS::ForceRemoveDirectory(TEST_DIR_LEGACY);
661 OHOS::ForceCreateDirectory(TEST_DIR_LEGACY);
662 EXPECT_EQ(0, LoadAndSetPolicy(g_testKeyV1.GetDir().c_str(), TEST_DIR_LEGACY.c_str()));
663
664 EXPECT_TRUE(OHOS::ForceCreateDirectory(TEST_DIR_LEGACY + "/test_dir"));
665 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_LEGACY + "/test_file1", "hello, world!\n"));
666 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_LEGACY + "/test_file2", "AA"));
667 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_LEGACY + "/111111111111111111111111111111111111111111111111", "AA"));
668
669 EXPECT_TRUE(g_testKeyV1.ClearKey());
670 }
671
672 /**
673 * @tc.name: fscrypt_key_storekey_version_test_1
674 * @tc.desc: Verify the fscrypt storekey function.
675 * @tc.type: FUNC
676 * @tc.require: AR000GK0BO
677 */
678 HWTEST_F(CryptoKeyTest, fscrypt_key_storekey_version_test_1, TestSize.Level1)
679 {
680 EXPECT_TRUE(g_testKeyV1.InitKey());
681 #ifndef CRYPTO_TEST
682 // storekey to version 0
683 g_testKeyV1.StoreKey(emptyUserAuth);
684 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD);
685 std::string keyShieldV0;
686 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD, keyShieldV0);
687
688 // storekey to version 1
689 g_testKeyV1.StoreKey(emptyUserAuth);
690 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_SHIELD);
691 std::string keyShieldV1;
692 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_SHIELD, keyShieldV1);
693
694 // storekey to version 2
695 g_testKeyV1.StoreKey(emptyUserAuth);
696 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION2 + PATH_SHIELD);
697 std::string keyShieldV2;
698 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION2 + PATH_SHIELD, keyShieldV2);
699
700 // updatekey will rename version 2 to latest
701 g_testKeyV1.UpdateKey();
702 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SHIELD);
703 EXPECT_FALSE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST_BACKUP + PATH_SHIELD));
704 std::string keyShieldLatest;
705 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SHIELD, keyShieldLatest);
706 EXPECT_EQ(keyShieldLatest, keyShieldV2);
707 #else
708 // storekey to version 0
709 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
710 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD));
711 std::string keyShieldV0;
712 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD, keyShieldV0));
713
714 // storekey to version 1
715 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
716 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_SHIELD));
717 std::string keyShieldV1;
718 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_SHIELD, keyShieldV1));
719 EXPECT_NE(keyShieldV0, keyShieldV1);
720
721 // storekey to version 2
722 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
723 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION2 + PATH_SHIELD));
724 std::string keyShieldV2;
725 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION2 + PATH_SHIELD, keyShieldV2));
726 EXPECT_NE(keyShieldV1, keyShieldV2);
727
728 // updatekey will rename version 2 to latest
729 EXPECT_TRUE(g_testKeyV1.UpdateKey());
730 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SHIELD));
731 EXPECT_FALSE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST_BACKUP + PATH_SHIELD));
732 std::string keyShieldLatest;
733 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SHIELD, keyShieldLatest));
734 EXPECT_EQ(keyShieldLatest, keyShieldV2);
735 #endif
736 }
737
738 /**
739 * @tc.name: fscrypt_key_storekey_version_test_2
740 * @tc.desc: Verify the fscrypt storekey function.
741 * @tc.type: FUNC
742 * @tc.require: AR000GK0BO
743 */
744 HWTEST_F(CryptoKeyTest, fscrypt_key_storekey_version_test_2, TestSize.Level1)
745 {
746 #ifndef CRYPTO_TEST
747 g_testKeyV1.RestoreKey(emptyUserAuth);
748
749 // storekey to version 0
750 g_testKeyV1.StoreKey(emptyUserAuth);
751 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD);
752 std::string keyShieldV0;
753 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD, keyShieldV0);
754
755 // storekey to version 1
756 g_testKeyV1.StoreKey(emptyUserAuth);
757 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_SHIELD);
758 std::string keyShieldV1;
759 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_SHIELD, keyShieldV1);
760
761 // restorekey will decrypt from versions and rename first success one to latest
762 g_testKeyV1.RestoreKey(emptyUserAuth);
763 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SHIELD);
764 EXPECT_FALSE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST_BACKUP + PATH_SHIELD));
765 std::string keyShieldLatest;
766 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SHIELD, keyShieldLatest);
767 EXPECT_EQ(keyShieldLatest, keyShieldV1);
768 #else
769 EXPECT_TRUE(g_testKeyV1.RestoreKey(emptyUserAuth));
770
771 // storekey to version 0
772 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
773 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD));
774 std::string keyShieldV0;
775 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD, keyShieldV0));
776
777 // storekey to version 1
778 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
779 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_SHIELD));
780 std::string keyShieldV1;
781 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION1 + PATH_SHIELD, keyShieldV1));
782
783 // restorekey will decrypt from versions and rename first success one to latest
784 EXPECT_TRUE(g_testKeyV1.RestoreKey(emptyUserAuth));
785 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SHIELD));
786 EXPECT_FALSE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_LATEST_BACKUP + PATH_SHIELD));
787 std::string keyShieldLatest;
788 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_LATEST + PATH_SHIELD, keyShieldLatest));
789 EXPECT_EQ(keyShieldLatest, keyShieldV1);
790 #endif
791 }
792
793 /**
794 * @tc.name: fscrypt_key_storekey_version_test_3
795 * @tc.desc: Verify the fscrypt storekey function.
796 * @tc.type: FUNC
797 * @tc.require: AR000GK0BO
798 */
799 HWTEST_F(CryptoKeyTest, fscrypt_key_storekey_version_test_3, TestSize.Level1)
800 {
801 #ifndef CRYPTO_TEST
802 // storekey to version 0
803 g_testKeyV1.StoreKey(emptyUserAuth);
804 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD);
805 std::string keyShieldV0A;
806 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD, keyShieldV0A);
807
808 // latest dir broken, not affect restore and update operation
809 OHOS::ForceRemoveDirectory(TEST_KEYPATH + TEST_KEYDIR_LATEST);
810 OHOS::SaveStringToFile(TEST_KEYPATH + TEST_KEYDIR_LATEST, "latest is a file");
811 g_testKeyV1.RestoreKey(emptyUserAuth);
812 OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD);
813 std::string keyShieldV0B;
814 OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD, keyShieldV0B);
815 EXPECT_TRUE(keyShieldV0A == keyShieldV0B);
816 g_testKeyV1.RestoreKey(emptyUserAuth);
817 EXPECT_FALSE(g_testKeyV1.UpdateKey());
818
819 // latest dir backup also broken, not affect restore and update operation
820 OHOS::SaveStringToFile(TEST_KEYPATH + TEST_KEYDIR_LATEST_BACKUP, "latest_backup is a file");
821 EXPECT_FALSE(g_testKeyV1.UpdateKey());
822 g_testKeyV1.RestoreKey(emptyUserAuth);
823 #else
824 // storekey to version 0
825 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
826 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD));
827 std::string keyShieldV0A;
828 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD, keyShieldV0A));
829
830 // latest dir broken, not affect restore and update operation
831 OHOS::ForceRemoveDirectory(TEST_KEYPATH + TEST_KEYDIR_LATEST);
832 OHOS::SaveStringToFile(TEST_KEYPATH + TEST_KEYDIR_LATEST, "latest is a file");
833 EXPECT_TRUE(g_testKeyV1.RestoreKey(emptyUserAuth));
834 EXPECT_TRUE(OHOS::FileExists(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD));
835 std::string keyShieldV0B;
836 EXPECT_TRUE(OHOS::LoadStringFromFile(TEST_KEYPATH + TEST_KEYDIR_VERSION0 + PATH_SHIELD, keyShieldV0B));
837 EXPECT_TRUE(keyShieldV0A == keyShieldV0B);
838 EXPECT_TRUE(g_testKeyV1.RestoreKey(emptyUserAuth));
839 EXPECT_FALSE(g_testKeyV1.UpdateKey());
840
841 // latest dir backup also broken, not affect restore and update operation
842 OHOS::SaveStringToFile(TEST_KEYPATH + TEST_KEYDIR_LATEST_BACKUP, "latest_backup is a file");
843 EXPECT_FALSE(g_testKeyV1.UpdateKey());
844 EXPECT_TRUE(g_testKeyV1.RestoreKey(emptyUserAuth));
845 #endif
846 }
847
848 #ifdef SUPPORT_FSCRYPT_V2
849 /**
850 * @tc.name: fscrypt_key_v2_load_and_set_policy_padding_4
851 * @tc.desc: Verify the KeyCtrl::LoadAndSetPolicy function.
852 * @tc.type: FUNC
853 * @tc.require: AR000GK0BO
854 */
855 HWTEST_F(CryptoKeyTest, fscrypt_key_v2_load_and_set_policy_padding_4, TestSize.Level1)
856 {
857 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) == FSCRYPT_V1) {
858 return;
859 }
860 g_testKeyV2.ClearKey();
861 EXPECT_TRUE(g_testKeyV2.InitKey());
862 EXPECT_TRUE(g_testKeyV2.StoreKey(emptyUserAuth));
863 EXPECT_TRUE(g_testKeyV2.ActiveKey());
864
865 EXPECT_EQ(0, SetFscryptSysparam("2:aes-256-cts:aes-256-xts"));
866 EXPECT_EQ(0, InitFscryptPolicy());
867
868 OHOS::ForceRemoveDirectory(TEST_DIR_V2);
869 OHOS::ForceCreateDirectory(TEST_DIR_V2);
870 EXPECT_EQ(0, LoadAndSetPolicy(g_testKeyV2.GetDir().c_str(), TEST_DIR_V2.c_str()));
871
872 EXPECT_TRUE(OHOS::ForceCreateDirectory(TEST_DIR_V2 + "/test_dir"));
873 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_V2 + "/test_file1", "hello, world!\n"));
874 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_V2 + "/test_file2", "AA"));
875 EXPECT_TRUE(OHOS::SaveStringToFile(TEST_DIR_V2 + "/111111111111111111111111111111111111111111111111", "AA"));
876
877 struct fscrypt_get_policy_ex_arg arg;
878 (void)memset_s(&arg, sizeof(arg), 0, sizeof(arg));
879 arg.policy_size = sizeof(arg.policy);
880 EXPECT_TRUE(KeyCtrlGetPolicyEx(TEST_DIR_V2.c_str(), &arg));
881 EXPECT_EQ(FSCRYPT_POLICY_V2, arg.policy.version);
882 EXPECT_EQ(FSCRYPT_MODE_AES_256_CTS, arg.policy.v2.filenames_encryption_mode);
883 EXPECT_EQ(FSCRYPT_MODE_AES_256_XTS, arg.policy.v2.contents_encryption_mode);
884
885 EXPECT_TRUE(g_testKeyV2.ClearKey());
886 }
887 #endif
888
889 /**
890 * @tc.name: key_manager_generate_delete_user_keys
891 * @tc.desc: Verify the KeyManager GenerateUserKeys and DeleteUserKeys
892 * @tc.type: FUNC
893 * @tc.require: SR000H0CM9
894 */
895 HWTEST_F(CryptoKeyTest, key_manager_generate_delete_user_keys, TestSize.Level1)
896 {
897 uint32_t userId = 81;
898 const string USER_EL1_DIR = "/data/test/user/el1";
899 const string USER_EL2_DIR = "/data/test/user/el2";
900
901 EXPECT_EQ(0, SetFscryptSysparam("2:aes-256-cts:aes-256-xts"));
902 EXPECT_EQ(0, InitFscryptPolicy());
903 OHOS::ForceRemoveDirectory(USER_EL1_DIR);
904 OHOS::ForceRemoveDirectory(USER_EL2_DIR);
905 MkDirRecurse(USER_EL1_DIR, S_IRWXU);
906 MkDirRecurse(USER_EL2_DIR, S_IRWXU);
907
908 OHOS::ForceRemoveDirectory(USER_KEY_EL1_DIR);
909 OHOS::ForceRemoveDirectory(USER_KEY_EL2_DIR);
910 EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->GenerateUserKeys(userId, 0)); // no user_el1_dir
911
912 KeyManager::GetInstance()->InitGlobalDeviceKey();
913 KeyManager::GetInstance()->InitGlobalUserKeys();
914 UserTokenSecret userTokenSecret = {.token = {'t', 'o', 'k', 'e', 'n'}, .oldSecret = {},
915 .newSecret = {'s', 'e', 'c', 'r', 'e', 't'}, .secureUid = 0};
916 UserTokenSecret userTokenSecretNull = {.token = {}, .oldSecret = {}, .newSecret = {}, .secureUid = 0};
917 #ifndef CRYPTO_TEST
918 KeyManager::GetInstance()->UpdateUserAuth(userId, userTokenSecret);
919 KeyManager::GetInstance()->InActiveUserKey(userId); // may fail on some platforms
920 #else
921 EXPECT_EQ(0, KeyManager::GetInstance()->GenerateUserKeys(userId, 0));
922 EXPECT_EQ(-EEXIST, KeyManager::GetInstance()->GenerateUserKeys(userId, 0)); // key existed
923 EXPECT_EQ(0, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, EL1_KEY, {{userId, USER_EL1_DIR}}));
924 EXPECT_EQ(0, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, EL2_KEY, {{userId, USER_EL2_DIR}}));
925 EXPECT_EQ(0, KeyManager::GetInstance()->UpdateUserAuth(userId, userTokenSecretNull));
926 EXPECT_EQ(0, KeyManager::GetInstance()->UpdateKeyContext(userId));
927 KeyManager::GetInstance()->UpdateUserAuth(userId, userTokenSecret);
928 EXPECT_EQ(-EFAULT, KeyManager::GetInstance()->UpdateKeyContext(userId)); // no need to update keycontext
929 KeyManager::GetInstance()->InActiveUserKey(userId); // may fail on some platforms
930 EXPECT_EQ(0, KeyManager::GetInstance()->ActiveUserKey(userId, {}, {}));
931 EXPECT_EQ(0, KeyManager::GetInstance()->ActiveUserKey(userId, {}, {})); /// have been actived, also return 0
932 EXPECT_EQ(0, KeyManager::GetInstance()->DeleteUserKeys(userId));
933 #endif
934
935 EXPECT_EQ(0, SetFscryptSysparam("1:aes-256-cts:aes-256-xts"));
936 KeyManager::GetInstance()->InitGlobalDeviceKey();
937 KeyManager::GetInstance()->InitGlobalUserKeys();
938 userId = 801; // bad userId, not generated
939 EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, EL1_KEY, {{userId, USER_EL1_DIR}}));
940 EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, EL2_KEY, {{userId, USER_EL2_DIR}}));
941 EXPECT_EQ(0, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, static_cast<KeyType>(0),
942 {{userId, USER_EL2_DIR}})); // bad keytype
943 EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->UpdateUserAuth(userId, userTokenSecretNull));
944 EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->UpdateKeyContext(userId));
945 EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->InActiveUserKey(userId));
946 EXPECT_EQ(-EFAULT, KeyManager::GetInstance()->ActiveUserKey(userId, {}, {}));
947 EXPECT_EQ(-EFAULT, KeyManager::GetInstance()->DeleteUserKeys(userId));
948 }
949
950 /**
951 * @tc.name: fscrypt_key_secure_access_control
952 * @tc.desc: Verify the secure access when user have pin code.
953 * @tc.type: FUNC
954 * @tc.require: SR000H0CLT
955 */
956 HWTEST_F(CryptoKeyTest, fscrypt_key_secure_access_control, TestSize.Level1)
957 {
958 g_testKeyV1.ClearKey();
959 EXPECT_TRUE(g_testKeyV1.InitKey());
960 #ifndef CRYPTO_TEST
961 g_testKeyV1.StoreKey(emptyUserAuth);
962 #else
963 EXPECT_TRUE(g_testKeyV1.StoreKey(emptyUserAuth));
964 #endif
965 std::string token = "bad_token";
966 std::string secret = "bad_secret";
967 std::vector<uint8_t> badToken(token.begin(), token.end());
968 std::vector<uint8_t> badSecret(secret.begin(), secret.end());
969 UserAuth badUserAuth {
970 .token = badToken,
971 .secret = badSecret
972 };
973 EXPECT_FALSE(g_testKeyV1.RestoreKey(badUserAuth));
974 EXPECT_TRUE(g_testKeyV1.ClearKey());
975 }
976
977 /**
978 * @tc.name: fscrypt_sdc_filecrypt
979 * @tc.desc: Verify the sdc interface.
980 * @tc.type: FUNC
981 * @tc.require: SR000H0CLT
982 */
983 HWTEST_F(CryptoKeyTest, fscrypt_sdc_filecrypt, TestSize.Level1)
984 {
985 std::vector<std::string> params;
986
987 // test no param
988 params.clear();
989 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 0));
990
991 // test not filecrypt param
992 params.clear();
993 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
994
995 // test filecrypt cmd not existed
996 params.push_back("noexisted");
997 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
998
999 // test sdc enable
1000 params.push_back("enable");
1001 params.push_back("2:abs-256-cts:aes-256-xts");
1002 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1003 params.clear();
1004 params.push_back("enable");
1005 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1006 params.clear();
1007
1008 // test sdc init_global_key
1009 params.push_back("init_global_key");
1010 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1011 params.clear();
1012
1013 // test sdc init_main_user
1014 params.push_back("init_main_user");
1015 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1016 params.clear();
1017
1018 // test sdc inactive_user_key
1019 params.push_back("inactive_user_key");
1020 params.push_back("id");
1021 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1022 params.clear();
1023 params.push_back("inactive_user_key");
1024 params.push_back("10");
1025 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1026 params.clear();
1027 params.push_back("inactive_user_key");
1028 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1029 params.clear();
1030
1031 // test sdc update_key_context
1032 params.push_back("update_key_context");
1033 params.push_back("id");
1034 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1035 params.clear();
1036 params.push_back("update_key_context");
1037 params.push_back("10");
1038 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1039 params.clear();
1040 params.push_back("update_key_context");
1041 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1042 params.clear();
1043
1044 // test sdc delete_user_keys
1045 params.push_back("delete_user_keys");
1046 params.push_back("id");
1047 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1048 params.clear();
1049 params.push_back("delete_user_keys");
1050 params.push_back("10");
1051 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1052 params.clear();
1053 params.push_back("delete_user_keys");
1054 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1055 params.clear();
1056
1057 // test sdc generate_user_keys
1058 params.push_back("generate_user_keys");
1059 params.push_back("id");
1060 params.push_back("flag");
1061 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1062 params.clear();
1063 params.push_back("generate_user_keys");
1064 params.push_back("10");
1065 params.push_back("0");
1066 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1067 params.clear();
1068 params.push_back("generate_user_keys");
1069 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1070 params.clear();
1071
1072 // test sdc prepare_user_space
1073 params.push_back("prepare_user_space");
1074 params.push_back("id");
1075 params.push_back("flag");
1076 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1077 params.clear();
1078 params.push_back("prepare_user_space");
1079 params.push_back("10");
1080 params.push_back("0");
1081 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1082 params.clear();
1083 params.push_back("prepare_user_space");
1084 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1085 params.clear();
1086
1087 // test sdc destroy_user_space
1088 params.push_back("destroy_user_space");
1089 params.push_back("id");
1090 params.push_back("flag");
1091 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1092 params.clear();
1093 params.push_back("destroy_user_space");
1094 params.push_back("10");
1095 params.push_back("0");
1096 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1097 params.clear();
1098 params.push_back("destroy_user_space");
1099 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1100 params.clear();
1101
1102 // test sdc update_user_auth
1103 params.push_back("update_user_auth");
1104 params.push_back("id");
1105 params.push_back("01234567890abcd");
1106 params.push_back("01234567890abcd");
1107 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1108 params.clear();
1109 params.push_back("update_user_auth");
1110 params.push_back("10");
1111 params.push_back("01234567890abcd");
1112 params.push_back("01234567890abcd");
1113 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1114 params.clear();
1115 params.push_back("update_user_auth");
1116 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1117 params.clear();
1118 params.push_back("update_user_auth");
1119 params.push_back("10");
1120 params.push_back("01234567890abcd");
1121 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1122 params.clear();
1123
1124 // test sdc active_user_key
1125 params.push_back("active_user_key");
1126 params.push_back("id");
1127 params.push_back("01234567890abcd");
1128 params.push_back("01234567890abcd");
1129 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1130 params.clear();
1131 params.push_back("active_user_key");
1132 params.push_back("10");
1133 params.push_back("01234567890abcd");
1134 params.push_back("01234567890abcd");
1135 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1136 params.clear();
1137 params.push_back("active_user_key");
1138 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1139 params.clear();
1140 params.push_back("active_user_key");
1141 params.push_back("10");
1142 params.push_back("01234567890abcd");
1143 EXPECT_EQ(0, CryptoKeyTest::ExecSdcBinary(params, 1));
1144 params.clear();
1145 }
1146
1147 /**
1148 * @tc.name: libfscrypt api test
1149 * @tc.desc: Verify the libfscrypt interface.
1150 * @tc.type: FUNC
1151 * @tc.require: SR000H0CLT
1152 */
1153 HWTEST_F(CryptoKeyTest, fscrypt_libfscrypt_api, TestSize.Level1)
1154 {
1155 // test api in sysparam_dynamic.c
1156 EXPECT_NE(0, GetFscryptParameter(NULL, NULL, NULL, NULL));
1157 EXPECT_NE(0, SetFscryptParameter(NULL, NULL));
1158
1159 // test api in fscrypt_utils.c
1160 EXPECT_NE(0, FscryptPolicyEnable(NULL));
1161 EXPECT_EQ(0, FscryptPolicyEnable("/data/test/badpath"));
1162 FscryptPolicyEnable("/data/app/el1/bundle/public");
1163 EXPECT_NE(0, SetFscryptSysparam(NULL));
1164
1165 // test api in key_control.c
1166 EXPECT_EQ(FSCRYPT_INVALID, KeyCtrlLoadVersion(NULL));
1167 EXPECT_EQ(FSCRYPT_INVALID, KeyCtrlLoadVersion("/nofile"));
1168 EXPECT_EQ(FSCRYPT_INVALID, KeyCtrlGetFscryptVersion(NULL));
1169
1170 // version iss not digit
1171 OHOS::ForceRemoveDirectory(TEST_DIR_LEGACY);
1172 EXPECT_TRUE(OHOS::ForceCreateDirectory(TEST_DIR_LEGACY));
1173 std::string testVersionFile = TEST_DIR_LEGACY + "/fscrypt_version";
1174 EXPECT_TRUE(OHOS::SaveStringToFile(testVersionFile, "not-digit\n"));
1175 EXPECT_EQ(FSCRYPT_INVALID, KeyCtrlLoadVersion(TEST_DIR_LEGACY.c_str()));
1176
1177 // bad version
1178 OHOS::ForceRemoveDirectory(TEST_DIR_LEGACY);
1179 EXPECT_TRUE(OHOS::ForceCreateDirectory(TEST_DIR_LEGACY));
1180 testVersionFile = TEST_DIR_LEGACY + "/fscrypt_version";
1181 EXPECT_TRUE(OHOS::SaveStringToFile(testVersionFile, "10\n"));
1182 EXPECT_EQ(FSCRYPT_INVALID, KeyCtrlLoadVersion(TEST_DIR_LEGACY.c_str()));
1183
1184 key_serial_t id = 1;
1185 EXPECT_NE(0, KeyCtrlGetKeyringId(id, 0));
1186
1187 // test api in fscrypt_control.c
1188 EXPECT_NE(0, LoadAndSetPolicy(NULL, NULL));
1189 EXPECT_NE(0, FscryptSetSysparam("2:abs-256-cts"));
1190 EXPECT_NE(0, FscryptSetSysparam("2:abs-256-cts:bad-param"));
1191 EXPECT_NE(0, FscryptSetSysparam(NULL));
1192 }
1193
1194 /**
1195 * @tc.name: fscrypt_fbex_utils
1196 * @tc.desc: Verify the fbex utils.
1197 * @tc.type: FUNC
1198 * @tc.require: SR000HE9U7
1199 */
1200 HWTEST_F(CryptoKeyTest, fscrypt_fbex_utils, TestSize.Level1)
1201 {
1202 if (KeyCtrlGetFscryptVersion(TEST_MNT.c_str()) != FSCRYPT_V1) {
1203 return; // skip not v1 fscrypt
1204 }
1205 if (!FBEX::IsFBEXSupported()) {
1206 return; // skip no fbex support
1207 }
1208 (void)FBEX::IsMspReady();
1209 (void)FBEX::GetStatus();
1210
1211 constexpr uint32_t userId = 82; // test userid
1212 uint8_t buf[FBEX_IV_SIZE] = {0};
1213 buf[0] = 0xfb; // fitst byte const to kernel
1214 buf[1] = 0x30; // second byte const to kernel
1215 EXPECT_EQ(0, FBEX::InstallKeyToKernel(userId, TYPE_EL2, buf, FBEX_IV_SIZE, FIRST_CREATE_KEY));
1216 EXPECT_EQ(0, FBEX::LockScreenToKernel(userId));
1217 EXPECT_EQ(0, FBEX::UnlockScreenToKernel(userId, TYPE_EL3, buf, FBEX_IV_SIZE));
1218 uint8_t buf1[FBEX_IV_SIZE] = {0};
1219 buf1[0] = 0xfb; // fitst byte const to kernel
1220 buf1[1] = 0x30; // second byte const to kernel
1221 EXPECT_EQ(0, FBEX::UninstallOrLockUserKeyToKernel(userId, TYPE_EL2, buf1, FBEX_IV_SIZE, USER_DESTROY));
1222 }
1223