Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / e1a67a2849255445ad1da16c584061a3dab014c8 / . / keystore / test-keystore
blob: 071cfcd037a7865a9f60fa0c3df74b2c5eeb5f1f [file] [log] [blame]
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]1#!/bin/bash
2#
3# Copyright 2011, The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17set -e
18
19prefix=$0
20log_file=$prefix.log
21baseline_file=$prefix.baseline
22
23function cleanup_output() {
24 rm -f $log_file
25 rm -f $baseline_file
26}
27
28function log() {
29 echo "$@"
30 append $log_file \# "$@"
31 append $baseline_file \# "$@"
32}
33
34function expect() {
35 append $baseline_file "$@"
36}
37
38function append() {
39 declare -r file=$1
40 shift
41 echo "$@" >> $file
42}
43
44function run() {
45 # strip out carriage returns from adb
46 # strip out date/time from ls -l
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]47 "$@" | tr -d '\r' | sed -E 's/[0-9]{4}-[0-9]{2}-[0-9]{2} +[0-9]{1,2}:[0-9]{2} //' >> $log_file
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]48}
49
50function keystore() {
51 declare -r user=$1
52 shift
53 run adb shell su $user keystore_cli "$@"
54}
55
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]56function keystore_in() {
57 declare -r user=$1
58 declare -r input=$2
59 shift; shift
60 run adb shell "echo '$input' | su $user keystore_cli $@"
61}
62
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]63function list_keystore_directory() {
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]64 run adb shell ls -al /data/misc/keystore$@
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]65}
66
67function compare() {
68 log "comparing $baseline_file and $log_file"
69 diff $baseline_file $log_file || (log $tag FAILED && exit 1)
70}
71
72function test_basic() {
73
74 #
75 # reset
76 #
77 log "reset keystore as system user"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]78 keystore system reset
79 expect "reset: No error (1)"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]80 list_keystore_directory
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]81 expect "-rw------- keystore keystore 4 .metadata"
82 expect "drwx------ keystore keystore user_0"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]83
84 #
85 # basic tests as system/root
86 #
87 log "root does not have permission to run test"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]88 keystore root test
89 expect "test: Permission denied (6)"
90
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]91 log "but system user does"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]92 keystore system test
93 expect "test: Uninitialized (3)"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]94 list_keystore_directory
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]95 expect "-rw------- keystore keystore 4 .metadata"
96 expect "drwx------ keystore keystore user_0"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]97
98 log "password is now bar"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]99 keystore system password bar
100 expect "password: No error (1)"
101 list_keystore_directory /user_0
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]102 expect "-rw------- keystore keystore 84 .masterkey"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]103
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]104 log "no error implies initialized and unlocked"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]105 keystore system test
106 expect "test: No error (1)"
107
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]108 log "saw with no argument"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]109 keystore system saw
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]110
111 log "saw nothing"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]112 keystore system saw ""
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]113
114 log "add key baz"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]115 keystore_in system quux insert baz
116 expect "insert: No error (1)"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]117
118 log "1000 is uid of system"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]119 list_keystore_directory /user_0
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]120 expect "-rw------- keystore keystore 84 .masterkey"
121 expect "-rw------- keystore keystore 52 1000_baz"
122
123 log "saw baz"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]124 keystore system saw
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]125 expect "baz"
126
127 log "get baz"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]128 keystore system get baz
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]129 expect "quux"
130
131 log "root can read system user keys (as can wifi or vpn users)"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]132 keystore root get baz
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]133 expect "quux"
134
135 #
136 # app user tests
137 #
138
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]139 # u0_a0 has uid 10000, as seen below
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]140 log "other uses cannot see the system keys"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]141 keystore u0_a0 get baz
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]142
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]143 log "app user cannot use reset, password, lock, unlock"
144 keystore u0_a0 reset
145 expect "reset: Permission denied (6)"
146 keystore u0_a0 password some_pass
147 expect "password: Permission denied (6)"
148 keystore u0_a0 lock
149 expect "lock: Permission denied (6)"
150 keystore u0_a0 unlock some_pass
151 expect "unlock: Permission denied (6)"
152
153 log "install u0_a0 key"
154 keystore_in u0_a0 deadbeef insert 0x
155 expect "insert: No error (1)"
156 list_keystore_directory /user_0
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]157 expect "-rw------- keystore keystore 84 .masterkey"
158 expect "-rw------- keystore keystore 52 10000_0x"
159 expect "-rw------- keystore keystore 52 1000_baz"
160
161 log "get with no argument"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]162 keystore u0_a0 get
163 expect "Usage: keystore_cli get <name>"
164
165 log "few get tests for an app"
166 keystore u0_a0 get 0x
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]167 expect "deadbeef"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]168
169 keystore_in u0_a0 barney insert fred
170 expect "insert: No error (1)"
171
172 keystore u0_a0 saw
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]173 expect "0x"
174 expect "fred"
175
176 log "note that saw returns the suffix of prefix matches"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]177 keystore u0_a0 saw fr # fred
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]178 expect "ed" # fred
179
180 #
181 # lock tests
182 #
183 log "lock the store as system"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]184 keystore system lock
185 expect "lock: No error (1)"
186 keystore system test
187 expect "test: Locked (2)"
188
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]189 log "saw works while locked"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]190 keystore u0_a0 saw
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]191 expect "0x"
192 expect "fred"
193
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]194 log "...and app can read keys..."
195 keystore u0_a0 get 0x
196 expect "deadbeef"
197
198 log "...but they cannot be deleted."
199 keystore u0_a0 exist 0x
200 expect "exist: No error (1)"
201 keystore u0_a0 del_key 0x
202 expect "del_key: Key not found (7)"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]203
204 #
205 # password
206 #
207 log "wrong password"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]208 keystore system unlock foo
209 expect "unlock: Wrong password (4 tries left) (13)"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]210 log "right password"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]211 keystore system unlock bar
212 expect "unlock: No error (1)"
213
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]214 log "make the password foo"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]215 keystore system password foo
216 expect "password: No error (1)"
217
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]218 #
219 # final reset
220 #
221 log "reset wipes everything for all users"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]222 keystore system reset
223 expect "reset: No error (1)"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]224 list_keystore_directory
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]225 expect "-rw------- keystore keystore 4 .metadata"
226 expect "drwx------ keystore keystore user_0"
227 list_keystore_directory /user_0
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]228
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]229 keystore system test
230 expect "test: Uninitialized (3)"
231}
232
233function test_grant() {
234 log "test granting"
235 keystore system reset
236 expect "reset: No error (1)"
237 keystore system password test_pass
238 expect "password: No error (1)"
239
240 keystore_in system granted_key_value insert granted_key
241 expect "insert: No error (1)"
242
243 # Cannot read before grant.
244 keystore u10_a0 get granted_key
245
246 # Grant and read.
247 log "System grants to u0_a1"
248 keystore system grant granted_key 10001
249 expect "Working with uid 10001"
250 expect "grant: No error (1)"
251 keystore u0_a1 get 1000_granted_key
252 expect "granted_key_value"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]253}
254
255function test_4599735() {
256 # http://b/4599735
257 log "start regression test for b/4599735"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]258 keystore system reset
259 expect "reset: No error (1)"
260 list_keystore_directory /user_0
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]261
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]262 keystore system password foo
263 expect "password: No error (1)"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]264
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]265 keystore_in system quux insert baz
266 expect "insert: No error (1)"
267
268 keystore root get baz
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]269 expect "quux"
270
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]271 keystore system lock
272 expect "lock: No error (1)"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]273
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]274 keystore system password foo
275 expect "password: No error (1)"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]276
277 log "after unlock, regression led to result of '8 Value corrupted'"
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]278 keystore root get baz
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]279 expect "quux"
280
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]281 keystore system reset
282 expect "reset: No error (1)"
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]283 log "end regression test for b/4599735"
284}
285
286function main() {
287 cleanup_output
288 log $tag START
289 test_basic
290 test_4599735
Roman Mazure1a67a22015-09-17 12:55:53 +0300[diff] [blame^]291 test_grant
Kenny Roota91203b2012-02-15 15:00:46 -0800[diff] [blame]292 compare
293 log $tag PASSED
294 cleanup_output
295}
296
297main