keystore/test-keystore - platform/system/security - Git at Google

 #!/bin/bash
 #
 # Copyright 2011, The Android Open Source Project
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.

 set -e

 prefix=$0
 log_file=$prefix.log
 baseline_file=$prefix.baseline

 function cleanup_output() {
     rm -f $log_file
     rm -f $baseline_file
 }

 function log() {
     echo "$@"
     append $log_file \# "$@"
     append $baseline_file \# "$@"
 }

 function expect() {
     append $baseline_file "$@"
 }

 function append() {
     declare -r file=$1
     shift
     echo "$@" >> $file
 }

 function run() {
     # strip out carriage returns from adb
     # strip out date/time from ls -l
     "$@" | tr -d '\r' | sed -E 's/[0-9]{4}-[0-9]{2}-[0-9]{2} +[0-9]{1,2}:[0-9]{2} //' >> $log_file
 }

 function keystore() {
     declare -r user=$1
     shift
     run adb shell su $user keystore_cli "$@"
 }

 function keystore_in() {
     declare -r user=$1
     declare -r input=$2
     shift; shift
     run adb shell "echo '$input' | su $user keystore_cli $@"
 }

 function list_keystore_directory() {
     run adb shell ls -al /data/misc/keystore$@
 }

 function compare() {
     log "comparing $baseline_file and $log_file"
     diff $baseline_file $log_file || (log $tag FAILED && exit 1)
 }

 function test_basic() {

     #
     # reset
     #
     log "reset keystore as system user"
     keystore system reset
     expect "reset: No error (1)"
     list_keystore_directory
     expect "-rw------- keystore keystore        4 .metadata"
     expect "drwx------ keystore keystore          user_0"

     #
     # basic tests as system/root
     #
     log "root does not have permission to run test"
     keystore root test
     expect "test: Permission denied (6)"

     log "but system user does"
     keystore system test
     expect "test: Uninitialized (3)"
     list_keystore_directory
     expect "-rw------- keystore keystore        4 .metadata"
     expect "drwx------ keystore keystore          user_0"

     log "password is now bar"
     keystore system password bar
     expect "password: No error (1)"
     list_keystore_directory /user_0
     expect "-rw------- keystore keystore       84 .masterkey"

     log "no error implies initialized and unlocked"
     keystore system test
     expect "test: No error (1)"

     log "saw with no argument"
     keystore system saw

     log "saw nothing"
     keystore system saw ""

     log "add key baz"
     keystore_in system quux insert baz
     expect "insert: No error (1)"

     log "1000 is uid of system"
     list_keystore_directory /user_0
     expect "-rw------- keystore keystore       84 .masterkey"
     expect "-rw------- keystore keystore       52 1000_baz"

     log "saw baz"
     keystore system saw
     expect "baz"

     log "get baz"
     keystore system get baz
     expect "quux"

     log "root can read system user keys (as can wifi or vpn users)"
     keystore root get baz
     expect "quux"

     #
     # app user tests
     #

     # u0_a0 has uid 10000, as seen below
     log "other uses cannot see the system keys"
     keystore u0_a0 get baz

     log "app user cannot use reset, password, lock, unlock"
     keystore u0_a0 reset
     expect "reset: Permission denied (6)"
     keystore u0_a0 password some_pass
     expect "password: Permission denied (6)"
     keystore u0_a0 lock
     expect "lock: Permission denied (6)"
     keystore u0_a0 unlock some_pass
     expect "unlock: Permission denied (6)"

     log "install u0_a0 key"
     keystore_in u0_a0 deadbeef insert 0x
     expect "insert: No error (1)"
     list_keystore_directory /user_0
     expect "-rw------- keystore keystore       84 .masterkey"
     expect "-rw------- keystore keystore       52 10000_0x"
     expect "-rw------- keystore keystore       52 1000_baz"

     log "get with no argument"
     keystore u0_a0 get
     expect "Usage: keystore_cli get <name>"

     log "few get tests for an app"
     keystore u0_a0 get 0x
     expect "deadbeef"

     keystore_in u0_a0 barney insert fred
     expect "insert: No error (1)"

     keystore u0_a0 saw
     expect "0x"
     expect "fred"

     log "note that saw returns the suffix of prefix matches"
     keystore u0_a0 saw fr # fred
     expect "ed" # fred

     #
     # lock tests
     #
     log "lock the store as system"
     keystore system lock
     expect "lock: No error (1)"
     keystore system test
     expect "test: Locked (2)"

     log "saw works while locked"
     keystore u0_a0 saw
     expect "0x"
     expect "fred"

     log "...and app can read keys..."
     keystore u0_a0 get 0x
     expect "deadbeef"

     log "...but they cannot be deleted."
     keystore u0_a0 exist 0x
     expect "exist: No error (1)"
     keystore u0_a0 del_key 0x
     expect "del_key: Key not found (7)"

     #
     # password
     #
     log "wrong password"
     keystore system unlock foo
     expect "unlock: Wrong password (4 tries left) (13)"
     log "right password"
     keystore system unlock bar
     expect "unlock: No error (1)"

     log "make the password foo"
     keystore system password foo
     expect "password: No error (1)"

     #
     # final reset
     #
     log "reset wipes everything for all users"
     keystore system reset
     expect "reset: No error (1)"
     list_keystore_directory
     expect "-rw------- keystore keystore        4 .metadata"
     expect "drwx------ keystore keystore          user_0"
     list_keystore_directory /user_0

     keystore system test
     expect "test: Uninitialized (3)"
 }

 function test_grant() {
     log "test granting"
     keystore system reset
     expect "reset: No error (1)"
     keystore system password test_pass
     expect "password: No error (1)"

     keystore_in system granted_key_value insert granted_key
     expect "insert: No error (1)"

     # Cannot read before grant.
     keystore u10_a0 get granted_key

     # Grant and read.
     log "System grants to u0_a1"
     keystore system grant granted_key 10001
     expect "Working with uid 10001"
     expect "grant: No error (1)"
     keystore u0_a1 get 1000_granted_key
     expect "granted_key_value"
 }

 function test_4599735() {
     # http://b/4599735
     log "start regression test for b/4599735"
     keystore system reset
     expect "reset: No error (1)"
     list_keystore_directory /user_0

     keystore system password foo
     expect "password: No error (1)"

     keystore_in system quux insert baz
     expect "insert: No error (1)"

     keystore root get baz
     expect "quux"

     keystore system lock
     expect "lock: No error (1)"

     keystore system password foo
     expect "password: No error (1)"

     log "after unlock, regression led to result of '8 Value corrupted'"
     keystore root get baz
     expect "quux"

     keystore system reset
     expect "reset: No error (1)"
     log "end regression test for b/4599735"
 }

 function main() {
     cleanup_output
     log $tag START
     test_basic
     test_4599735
     test_grant
     compare
     log $tag PASSED
     cleanup_output
 }

 main
	#!/bin/bash
	#
	# Copyright 2011, The Android Open Source Project
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	set -e

	prefix=$0
	log_file=$prefix.log
	baseline_file=$prefix.baseline

	function cleanup_output() {
	rm -f $log_file
	rm -f $baseline_file
	}

	function log() {
	echo "$@"
	append $log_file \# "$@"
	append $baseline_file \# "$@"
	}

	function expect() {
	append $baseline_file "$@"
	}

	function append() {
	declare -r file=$1
	shift
	echo "$@" >> $file
	}

	function run() {
	# strip out carriage returns from adb
	# strip out date/time from ls -l
	"$@" \| tr -d '\r' \| sed -E 's/[0-9]{4}-[0-9]{2}-[0-9]{2} +[0-9]{1,2}:[0-9]{2} //' >> $log_file
	}

	function keystore() {
	declare -r user=$1
	shift
	run adb shell su $user keystore_cli "$@"
	}

	function keystore_in() {
	declare -r user=$1
	declare -r input=$2
	shift; shift
	run adb shell "echo '$input' \| su $user keystore_cli $@"
	}

	function list_keystore_directory() {
	run adb shell ls -al /data/misc/keystore$@
	}

	function compare() {
	log "comparing $baseline_file and $log_file"
	diff $baseline_file $log_file \|\| (log $tag FAILED && exit 1)
	}

	function test_basic() {

	#
	# reset
	#
	log "reset keystore as system user"
	keystore system reset
	expect "reset: No error (1)"
	list_keystore_directory
	expect "-rw------- keystore keystore 4 .metadata"
	expect "drwx------ keystore keystore user_0"

	#
	# basic tests as system/root
	#
	log "root does not have permission to run test"
	keystore root test
	expect "test: Permission denied (6)"

	log "but system user does"
	keystore system test
	expect "test: Uninitialized (3)"
	list_keystore_directory
	expect "-rw------- keystore keystore 4 .metadata"
	expect "drwx------ keystore keystore user_0"

	log "password is now bar"
	keystore system password bar
	expect "password: No error (1)"
	list_keystore_directory /user_0
	expect "-rw------- keystore keystore 84 .masterkey"

	log "no error implies initialized and unlocked"
	keystore system test
	expect "test: No error (1)"

	log "saw with no argument"
	keystore system saw

	log "saw nothing"
	keystore system saw ""

	log "add key baz"
	keystore_in system quux insert baz
	expect "insert: No error (1)"

	log "1000 is uid of system"
	list_keystore_directory /user_0
	expect "-rw------- keystore keystore 84 .masterkey"
	expect "-rw------- keystore keystore 52 1000_baz"

	log "saw baz"
	keystore system saw
	expect "baz"

	log "get baz"
	keystore system get baz
	expect "quux"

	log "root can read system user keys (as can wifi or vpn users)"
	keystore root get baz
	expect "quux"

	#
	# app user tests
	#

	# u0_a0 has uid 10000, as seen below
	log "other uses cannot see the system keys"
	keystore u0_a0 get baz

	log "app user cannot use reset, password, lock, unlock"
	keystore u0_a0 reset
	expect "reset: Permission denied (6)"
	keystore u0_a0 password some_pass
	expect "password: Permission denied (6)"
	keystore u0_a0 lock
	expect "lock: Permission denied (6)"
	keystore u0_a0 unlock some_pass
	expect "unlock: Permission denied (6)"

	log "install u0_a0 key"
	keystore_in u0_a0 deadbeef insert 0x
	expect "insert: No error (1)"
	list_keystore_directory /user_0
	expect "-rw------- keystore keystore 84 .masterkey"
	expect "-rw------- keystore keystore 52 10000_0x"
	expect "-rw------- keystore keystore 52 1000_baz"

	log "get with no argument"
	keystore u0_a0 get
	expect "Usage: keystore_cli get <name>"

	log "few get tests for an app"
	keystore u0_a0 get 0x
	expect "deadbeef"

	keystore_in u0_a0 barney insert fred
	expect "insert: No error (1)"

	keystore u0_a0 saw
	expect "0x"
	expect "fred"

	log "note that saw returns the suffix of prefix matches"
	keystore u0_a0 saw fr # fred
	expect "ed" # fred

	#
	# lock tests
	#
	log "lock the store as system"
	keystore system lock
	expect "lock: No error (1)"
	keystore system test
	expect "test: Locked (2)"

	log "saw works while locked"
	keystore u0_a0 saw
	expect "0x"
	expect "fred"

	log "...and app can read keys..."
	keystore u0_a0 get 0x
	expect "deadbeef"

	log "...but they cannot be deleted."
	keystore u0_a0 exist 0x
	expect "exist: No error (1)"
	keystore u0_a0 del_key 0x
	expect "del_key: Key not found (7)"

	#
	# password
	#
	log "wrong password"
	keystore system unlock foo
	expect "unlock: Wrong password (4 tries left) (13)"
	log "right password"
	keystore system unlock bar
	expect "unlock: No error (1)"

	log "make the password foo"
	keystore system password foo
	expect "password: No error (1)"

	#
	# final reset
	#
	log "reset wipes everything for all users"
	keystore system reset
	expect "reset: No error (1)"
	list_keystore_directory
	expect "-rw------- keystore keystore 4 .metadata"
	expect "drwx------ keystore keystore user_0"
	list_keystore_directory /user_0

	keystore system test
	expect "test: Uninitialized (3)"
	}

	function test_grant() {
	log "test granting"
	keystore system reset
	expect "reset: No error (1)"
	keystore system password test_pass
	expect "password: No error (1)"

	keystore_in system granted_key_value insert granted_key
	expect "insert: No error (1)"

	# Cannot read before grant.
	keystore u10_a0 get granted_key

	# Grant and read.
	log "System grants to u0_a1"
	keystore system grant granted_key 10001
	expect "Working with uid 10001"
	expect "grant: No error (1)"
	keystore u0_a1 get 1000_granted_key
	expect "granted_key_value"
	}

	function test_4599735() {
	# http://b/4599735
	log "start regression test for b/4599735"
	keystore system reset
	expect "reset: No error (1)"
	list_keystore_directory /user_0

	keystore system password foo
	expect "password: No error (1)"

	keystore_in system quux insert baz
	expect "insert: No error (1)"

	keystore root get baz
	expect "quux"

	keystore system lock
	expect "lock: No error (1)"

	keystore system password foo
	expect "password: No error (1)"

	log "after unlock, regression led to result of '8 Value corrupted'"
	keystore root get baz
	expect "quux"

	keystore system reset
	expect "reset: No error (1)"
	log "end regression test for b/4599735"
	}

	function main() {
	cleanup_output
	log $tag START
	test_basic
	test_4599735
	test_grant
	compare
	log $tag PASSED
	cleanup_output
	}

	main