identity/support/tests/IdentityCredentialSupportTest.cpp

/*
 * Copyright (c) 2019, The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <iomanip>
#include <iostream>
#include <sstream>

#include <gmock/gmock.h>
#include <gtest/gtest.h>

#include <android/hardware/identity/support/IdentityCredentialSupport.h>

#include <cppbor.h>
#include <cppbor_parse.h>

using std::optional;
using std::string;
using std::vector;

namespace android {
namespace hardware {
namespace identity {

TEST(IdentityCredentialSupport, encodeHex) {
    EXPECT_EQ("", support::encodeHex(vector<uint8_t>({})));
    EXPECT_EQ("01", support::encodeHex(vector<uint8_t>({1})));
    EXPECT_EQ("000102030405060708090a0b0c0d0e0f10",
              support::encodeHex(
                      vector<uint8_t>({0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16})));
    EXPECT_EQ("0102ffe060", support::encodeHex(vector<uint8_t>({1, 2, 255, 224, 96})));
}

TEST(IdentityCredentialSupport, decodeHex) {
    EXPECT_EQ(vector<uint8_t>({}), support::decodeHex(""));
    EXPECT_EQ(vector<uint8_t>({1}), support::decodeHex("01"));

    EXPECT_EQ(vector<uint8_t>({0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}),
              support::decodeHex("000102030405060708090a0b0c0d0e0f10"));

    EXPECT_FALSE(support::decodeHex("0g"));
    EXPECT_FALSE(support::decodeHex("0"));
    EXPECT_FALSE(support::decodeHex("012"));
}

TEST(IdentityCredentialSupport, CborPrettyPrint) {
    EXPECT_EQ("'Some text'", support::cborPrettyPrint(cppbor::Tstr("Some text").encode()));

    EXPECT_EQ("''", support::cborPrettyPrint(cppbor::Tstr("").encode()));

    EXPECT_EQ("{0x01, 0x00, 0x02, 0xf0, 0xff, 0x40}",
              support::cborPrettyPrint(
                      cppbor::Bstr(vector<uint8_t>({1, 0, 2, 240, 255, 64})).encode()));

    EXPECT_EQ("{}", support::cborPrettyPrint(cppbor::Bstr(vector<uint8_t>()).encode()));

    EXPECT_EQ("true", support::cborPrettyPrint(cppbor::Bool(true).encode()));

    EXPECT_EQ("false", support::cborPrettyPrint(cppbor::Bool(false).encode()));

    EXPECT_EQ("42", support::cborPrettyPrint(cppbor::Uint(42).encode()));

    EXPECT_EQ("9223372036854775807",  // 0x7fff ffff ffff ffff
              support::cborPrettyPrint(cppbor::Uint(std::numeric_limits<int64_t>::max()).encode()));

    EXPECT_EQ("-42", support::cborPrettyPrint(cppbor::Nint(-42).encode()));

    EXPECT_EQ("-9223372036854775808",  // -0x8000 0000 0000 0000
              support::cborPrettyPrint(cppbor::Nint(std::numeric_limits<int64_t>::min()).encode()));
}

TEST(IdentityCredentialSupport, CborPrettyPrintCompound) {
    cppbor::Array array = cppbor::Array("foo", "bar", "baz");
    EXPECT_EQ("['foo', 'bar', 'baz', ]", support::cborPrettyPrint(array.encode()));

    cppbor::Map map = cppbor::Map().add("foo", 42).add("bar", 43).add("baz", 44);
    EXPECT_EQ(
            "{\n"
            "  'foo' : 42,\n"
            "  'bar' : 43,\n"
            "  'baz' : 44,\n"
            "}",
            support::cborPrettyPrint(map.encode()));

    cppbor::Array array2 = cppbor::Array(cppbor::Tstr("Some text"), cppbor::Nint(-42));
    EXPECT_EQ("['Some text', -42, ]", support::cborPrettyPrint(array2.encode()));

    cppbor::Map map2 = cppbor::Map().add(42, "foo").add(43, "bar").add(44, "baz");
    EXPECT_EQ(
            "{\n"
            "  42 : 'foo',\n"
            "  43 : 'bar',\n"
            "  44 : 'baz',\n"
            "}",
            support::cborPrettyPrint(map2.encode()));

    cppbor::Array deeplyNestedArrays =
            cppbor::Array(cppbor::Array(cppbor::Array("a", "b", "c")),
                          cppbor::Array(cppbor::Array("d", "e", cppbor::Array("f", "g"))));
    EXPECT_EQ(
            "[\n"
            "  ['a', 'b', 'c', ],\n"
            "  [\n    'd',\n"
            "    'e',\n"
            "    ['f', 'g', ],\n"
            "  ],\n"
            "]",
            support::cborPrettyPrint(deeplyNestedArrays.encode()));

    EXPECT_EQ(
            "[\n"
            "  {0x0a, 0x0b},\n"
            "  'foo',\n"
            "  42,\n"
            "  ['foo', 'bar', 'baz', ],\n"
            "  {\n"
            "    'foo' : 42,\n"
            "    'bar' : 43,\n"
            "    'baz' : 44,\n"
            "  },\n"
            "  {\n"
            "    'deep1' : ['Some text', -42, ],\n"
            "    'deep2' : {\n"
            "      42 : 'foo',\n"
            "      43 : 'bar',\n"
            "      44 : 'baz',\n"
            "    },\n"
            "  },\n"
            "]",
            support::cborPrettyPrint(cppbor::Array(cppbor::Bstr(vector<uint8_t>{10, 11}),
                                                   cppbor::Tstr("foo"), cppbor::Uint(42),
                                                   std::move(array), std::move(map),
                                                   (cppbor::Map()
                                                            .add("deep1", std::move(array2))
                                                            .add("deep2", std::move(map2))))
                                             .encode()));
}

TEST(IdentityCredentialSupport, Signatures) {
    vector<uint8_t> data = {1, 2, 3};

    optional<vector<uint8_t>> keyPair = support::createEcKeyPair();
    ASSERT_TRUE(keyPair);
    optional<vector<uint8_t>> privKey = support::ecKeyPairGetPrivateKey(keyPair.value());
    ASSERT_TRUE(privKey);
    optional<vector<uint8_t>> pubKey = support::ecKeyPairGetPublicKey(keyPair.value());
    ASSERT_TRUE(pubKey);

    optional<vector<uint8_t>> signature = support::signEcDsa(privKey.value(), data);
    ASSERT_TRUE(
            support::checkEcDsaSignature(support::sha256(data), signature.value(), pubKey.value()));

    // Manipulate the signature, check that verification fails.
    vector<uint8_t> modifiedSignature = signature.value();
    modifiedSignature[0] ^= 0xff;
    ASSERT_FALSE(
            support::checkEcDsaSignature(support::sha256(data), modifiedSignature, pubKey.value()));

    // Manipulate the data being checked, check that verification fails.
    vector<uint8_t> modifiedDigest = support::sha256(data);
    modifiedDigest[0] ^= 0xff;
    ASSERT_FALSE(support::checkEcDsaSignature(modifiedDigest, signature.value(), pubKey.value()));
}

string replaceLine(const string& str, ssize_t lineNumber, const string& replacement) {
    vector<string> lines;
    std::istringstream f(str);
    string s;
    while (std::getline(f, s, '\n')) {
        lines.push_back(s);
    }

    size_t numLines = lines.size();
    if (lineNumber < 0) {
        lineNumber = numLines - (-lineNumber);
    }

    string ret;
    size_t n = 0;
    for (const string& line : lines) {
        if (n == lineNumber) {
            ret += replacement + "\n";
        } else {
            ret += line + "\n";
        }
        n++;
    }
    return ret;
}

TEST(IdentityCredentialSupport, CoseSignatures) {
    optional<vector<uint8_t>> keyPair = support::createEcKeyPair();
    ASSERT_TRUE(keyPair);
    optional<vector<uint8_t>> privKey = support::ecKeyPairGetPrivateKey(keyPair.value());
    ASSERT_TRUE(privKey);
    optional<vector<uint8_t>> pubKey = support::ecKeyPairGetPublicKey(keyPair.value());
    ASSERT_TRUE(pubKey);

    vector<uint8_t> data = {1, 2, 3};
    optional<vector<uint8_t>> coseSign1 = support::coseSignEcDsa(
            privKey.value(), data, {} /* detachedContent */, {} /* x5chain */);
    ASSERT_TRUE(support::coseCheckEcDsaSignature(coseSign1.value(), {} /* detachedContent */,
                                                 pubKey.value()));

    optional<vector<uint8_t>> payload = support::coseSignGetPayload(coseSign1.value());
    ASSERT_TRUE(payload);
    ASSERT_EQ(data, payload.value());

    // Finally, check that |coseSign1| are the bytes of a valid COSE_Sign1 message
    string out = support::cborPrettyPrint(coseSign1.value());
    out = replaceLine(out, -2, "  [] // Signature Removed");
    EXPECT_EQ(
            "[\n"
            "  {0xa1, 0x01, 0x26},\n"  // Bytes of {1:-7} 1 is 'alg' label and -7 is "ECDSA 256"
            "  {},\n"
            "  {0x01, 0x02, 0x03},\n"
            "  [] // Signature Removed\n"
            "]\n",
            out);
}

TEST(IdentityCredentialSupport, CoseSignaturesAdditionalData) {
    optional<vector<uint8_t>> keyPair = support::createEcKeyPair();
    ASSERT_TRUE(keyPair);
    optional<vector<uint8_t>> privKey = support::ecKeyPairGetPrivateKey(keyPair.value());
    ASSERT_TRUE(privKey);
    optional<vector<uint8_t>> pubKey = support::ecKeyPairGetPublicKey(keyPair.value());
    ASSERT_TRUE(pubKey);

    vector<uint8_t> detachedContent = {1, 2, 3};
    optional<vector<uint8_t>> coseSign1 = support::coseSignEcDsa(privKey.value(), {} /* data */,
                                                                 detachedContent, {} /* x5chain */);
    ASSERT_TRUE(
            support::coseCheckEcDsaSignature(coseSign1.value(), detachedContent, pubKey.value()));

    optional<vector<uint8_t>> payload = support::coseSignGetPayload(coseSign1.value());
    ASSERT_TRUE(payload);
    ASSERT_EQ(0, payload.value().size());

    // Finally, check that |coseSign1| are the bytes of a valid COSE_Sign1 message
    string out = support::cborPrettyPrint(coseSign1.value());
    out = replaceLine(out, -2, "  [] // Signature Removed");
    EXPECT_EQ(
            "[\n"
            "  {0xa1, 0x01, 0x26},\n"  // Bytes of {1:-7} 1 is 'alg' label and -7 is "ECDSA 256"
            "  {},\n"
            "  null,\n"
            "  [] // Signature Removed\n"
            "]\n",
            out);
}

vector<uint8_t> generateCertChain(size_t numCerts) {
    vector<vector<uint8_t>> certs;

    for (size_t n = 0; n < numCerts; n++) {
        optional<vector<uint8_t>> keyPair = support::createEcKeyPair();
        optional<vector<uint8_t>> privKey = support::ecKeyPairGetPrivateKey(keyPair.value());
        optional<vector<uint8_t>> pubKey = support::ecKeyPairGetPublicKey(keyPair.value());

        optional<vector<uint8_t>> cert = support::ecPublicKeyGenerateCertificate(
                pubKey.value(), privKey.value(), "0001", "someIssuer", "someSubject", 0, 0);
        certs.push_back(cert.value());
    }
    return support::certificateChainJoin(certs);
}

TEST(IdentityCredentialSupport, CoseSignaturesX5ChainWithSingleCert) {
    optional<vector<uint8_t>> keyPair = support::createEcKeyPair();
    ASSERT_TRUE(keyPair);
    optional<vector<uint8_t>> privKey = support::ecKeyPairGetPrivateKey(keyPair.value());
    ASSERT_TRUE(privKey);
    optional<vector<uint8_t>> pubKey = support::ecKeyPairGetPublicKey(keyPair.value());
    ASSERT_TRUE(pubKey);

    vector<uint8_t> certChain = generateCertChain(1);
    optional<vector<vector<uint8_t>>> splitCerts = support::certificateChainSplit(certChain);
    ASSERT_EQ(1, splitCerts.value().size());

    vector<uint8_t> detachedContent = {1, 2, 3};
    optional<vector<uint8_t>> coseSign1 =
            support::coseSignEcDsa(privKey.value(), {} /* data */, detachedContent, certChain);
    ASSERT_TRUE(
            support::coseCheckEcDsaSignature(coseSign1.value(), detachedContent, pubKey.value()));

    optional<vector<uint8_t>> payload = support::coseSignGetPayload(coseSign1.value());
    ASSERT_TRUE(payload);
    ASSERT_EQ(0, payload.value().size());

    optional<vector<uint8_t>> certsRecovered = support::coseSignGetX5Chain(coseSign1.value());
    EXPECT_EQ(certsRecovered.value(), certChain);
}

TEST(IdentityCredentialSupport, CoseSignaturesX5ChainWithMultipleCerts) {
    optional<vector<uint8_t>> keyPair = support::createEcKeyPair();
    ASSERT_TRUE(keyPair);
    optional<vector<uint8_t>> privKey = support::ecKeyPairGetPrivateKey(keyPair.value());
    ASSERT_TRUE(privKey);
    optional<vector<uint8_t>> pubKey = support::ecKeyPairGetPublicKey(keyPair.value());
    ASSERT_TRUE(pubKey);

    vector<uint8_t> certChain = generateCertChain(5);
    optional<vector<vector<uint8_t>>> splitCerts = support::certificateChainSplit(certChain);
    ASSERT_EQ(5, splitCerts.value().size());

    vector<uint8_t> detachedContent = {1, 2, 3};
    optional<vector<uint8_t>> coseSign1 =
            support::coseSignEcDsa(privKey.value(), {} /* data */, detachedContent, certChain);
    ASSERT_TRUE(
            support::coseCheckEcDsaSignature(coseSign1.value(), detachedContent, pubKey.value()));

    optional<vector<uint8_t>> payload = support::coseSignGetPayload(coseSign1.value());
    ASSERT_TRUE(payload);
    ASSERT_EQ(0, payload.value().size());

    optional<vector<uint8_t>> certsRecovered = support::coseSignGetX5Chain(coseSign1.value());
    EXPECT_EQ(certsRecovered.value(), certChain);
}

TEST(IdentityCredentialSupport, CertificateChain) {
    optional<vector<uint8_t>> keyPair = support::createEcKeyPair();
    ASSERT_TRUE(keyPair);
    optional<vector<uint8_t>> privKey = support::ecKeyPairGetPrivateKey(keyPair.value());
    ASSERT_TRUE(privKey);
    optional<vector<uint8_t>> pubKey = support::ecKeyPairGetPublicKey(keyPair.value());
    ASSERT_TRUE(pubKey);

    optional<vector<uint8_t>> cert = support::ecPublicKeyGenerateCertificate(
            pubKey.value(), privKey.value(), "0001", "someIssuer", "someSubject", 0, 0);

    optional<vector<uint8_t>> extractedPubKey =
            support::certificateChainGetTopMostKey(cert.value());
    ASSERT_TRUE(extractedPubKey);
    ASSERT_EQ(pubKey.value(), extractedPubKey.value());

    // We expect to the chain returned by ecPublicKeyGenerateCertificate() to only have a
    // single element
    optional<vector<vector<uint8_t>>> splitCerts = support::certificateChainSplit(cert.value());
    ASSERT_EQ(1, splitCerts.value().size());
    ASSERT_EQ(splitCerts.value()[0], cert.value());

    optional<vector<uint8_t>> otherKeyPair = support::createEcKeyPair();
    ASSERT_TRUE(otherKeyPair);
    optional<vector<uint8_t>> otherPrivKey = support::ecKeyPairGetPrivateKey(keyPair.value());
    ASSERT_TRUE(otherPrivKey);
    optional<vector<uint8_t>> otherPubKey = support::ecKeyPairGetPublicKey(keyPair.value());
    ASSERT_TRUE(otherPubKey);
    optional<vector<uint8_t>> otherCert = support::ecPublicKeyGenerateCertificate(
            otherPubKey.value(), privKey.value(), "0001", "someIssuer", "someSubject", 0, 0);

    // Now both cert and otherCert are two distinct certificates. Let's make a
    // chain and check that certificateChainSplit() works as expected.
    ASSERT_NE(cert.value(), otherCert.value());
    const vector<vector<uint8_t>> certs2 = {cert.value(), otherCert.value()};
    vector<uint8_t> certs2combined = support::certificateChainJoin(certs2);
    ASSERT_EQ(certs2combined.size(), cert.value().size() + otherCert.value().size());
    optional<vector<vector<uint8_t>>> splitCerts2 = support::certificateChainSplit(certs2combined);
    ASSERT_EQ(certs2, splitCerts2.value());
}

vector<uint8_t> strToVec(const string& str) {
    vector<uint8_t> ret;
    size_t size = str.size();
    ret.resize(size);
    memcpy(ret.data(), str.data(), size);
    return ret;
}

// Test vector from https://en.wikipedia.org/wiki/HMAC
TEST(IdentityCredentialSupport, hmacSha256) {
    vector<uint8_t> key = strToVec("key");
    vector<uint8_t> data = strToVec("The quick brown fox jumps over the lazy dog");

    vector<uint8_t> expected =
            support::decodeHex("f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8")
                    .value();

    optional<vector<uint8_t>> hmac = support::hmacSha256(key, data);
    ASSERT_TRUE(hmac);
    ASSERT_EQ(expected, hmac.value());
}

// See also CoseMac0 test in UtilUnitTest.java inside cts/tests/tests/identity/
TEST(IdentityCredentialSupport, CoseMac0) {
    vector<uint8_t> key;
    key.resize(32);
    vector<uint8_t> data = {0x10, 0x11, 0x12, 0x13};
    vector<uint8_t> detachedContent = {};

    optional<vector<uint8_t>> mac = support::coseMac0(key, data, detachedContent);
    ASSERT_TRUE(mac);

    EXPECT_EQ(
            "[\n"
            "  {0xa1, 0x01, 0x05},\n"
            "  {},\n"
            "  {0x10, 0x11, 0x12, 0x13},\n"
            "  {0x6c, 0xec, 0xb5, 0x6a, 0xc9, 0x5c, 0xae, 0x3b, 0x41, 0x13, 0xde, 0xa4, 0xd8, "
            "0x86, 0x5c, 0x28, 0x2c, 0xd5, 0xa5, 0x13, 0xff, 0x3b, 0xd1, 0xde, 0x70, 0x5e, 0xbb, "
            "0xe2, 0x2d, 0x42, 0xbe, 0x53},\n"
            "]",
            support::cborPrettyPrint(mac.value()));
}

TEST(IdentityCredentialSupport, CoseMac0DetachedContent) {
    vector<uint8_t> key;
    key.resize(32);
    vector<uint8_t> data = {};
    vector<uint8_t> detachedContent = {0x10, 0x11, 0x12, 0x13};

    optional<vector<uint8_t>> mac = support::coseMac0(key, data, detachedContent);
    ASSERT_TRUE(mac);

    // Same HMAC as in CoseMac0 test, only difference is that payload is null.
    EXPECT_EQ(
            "[\n"
            "  {0xa1, 0x01, 0x05},\n"
            "  {},\n"
            "  null,\n"
            "  {0x6c, 0xec, 0xb5, 0x6a, 0xc9, 0x5c, 0xae, 0x3b, 0x41, 0x13, 0xde, 0xa4, 0xd8, "
            "0x86, 0x5c, 0x28, 0x2c, 0xd5, 0xa5, 0x13, 0xff, 0x3b, 0xd1, 0xde, 0x70, 0x5e, 0xbb, "
            "0xe2, 0x2d, 0x42, 0xbe, 0x53},\n"
            "]",
            support::cborPrettyPrint(mac.value()));
}

// Generates a private key in DER format for a small value of 'd'.
//
// Used for test vectors.
//
vector<uint8_t> p256PrivateKeyFromD(uint8_t d) {
    vector<uint8_t> privateUncompressed;
    privateUncompressed.resize(32);
    privateUncompressed[31] = d;
    optional<vector<uint8_t>> privateKey = support::ecPrivateKeyToKeyPair(privateUncompressed);
    return privateKey.value();
}

std::pair<vector<uint8_t>, vector<uint8_t>> p256PrivateKeyGetXandY(
        const vector<uint8_t> privateKey) {
    optional<vector<uint8_t>> publicUncompressed = support::ecKeyPairGetPublicKey(privateKey);
    vector<uint8_t> x = vector<uint8_t>(publicUncompressed.value().begin() + 1,
                                        publicUncompressed.value().begin() + 33);
    vector<uint8_t> y = vector<uint8_t>(publicUncompressed.value().begin() + 33,
                                        publicUncompressed.value().begin() + 65);
    return std::make_pair(x, y);
}

const cppbor::Item* findValueForTstr(const cppbor::Map* map, const string& keyValue) {
    // TODO: Need cast until libcppbor's Map::get() is marked as const
    auto [item, found] = ((cppbor::Map*)map)->get(keyValue);
    if (!found) {
        return nullptr;
    }
    return item.get();
}

const cppbor::Array* findArrayValueForTstr(const cppbor::Map* map, const string& keyValue) {
    const cppbor::Item* item = findValueForTstr(map, keyValue);
    if (item == nullptr) {
        return nullptr;
    }
    return item->asArray();
}

const cppbor::Map* findMapValueForTstr(const cppbor::Map* map, const string& keyValue) {
    const cppbor::Item* item = findValueForTstr(map, keyValue);
    if (item == nullptr) {
        return nullptr;
    }
    return item->asMap();
}

const cppbor::Semantic* findSemanticValueForTstr(const cppbor::Map* map, const string& keyValue) {
    const cppbor::Item* item = findValueForTstr(map, keyValue);
    if (item == nullptr) {
        return nullptr;
    }
    return item->asSemantic();
}

const std::string findStringValueForTstr(const cppbor::Map* map, const string& keyValue) {
    const cppbor::Item* item = findValueForTstr(map, keyValue);
    if (item == nullptr) {
        return nullptr;
    }
    const cppbor::Tstr* tstr = item->asTstr();
    if (tstr == nullptr) {
        return "";
    }
    return tstr->value();
}

TEST(IdentityCredentialSupport, testVectors_18013_5) {
    // This is a test against known vectors for ISO 18013-5.
    //
    // The objective of this test is to verify that support::calcEMacKey() and
    // support::calcMac() agree with the given test vectors.
    //

    // We're given static device key:
    //
    //     x: 28412803729898893058558238221310261427084375743576167377786533380249859400145
    //     y: 65403602826180996396520286939226973026599920614829401631985882360676038096704
    //     d: 11
    //
    vector<uint8_t> deviceKey = p256PrivateKeyFromD(11);
    auto [deviceKeyX, deviceKeyY] = p256PrivateKeyGetXandY(deviceKey);
    EXPECT_EQ(support::encodeHex(deviceKeyX),
              "3ed113b7883b4c590638379db0c21cda16742ed0255048bf433391d374bc21d1");
    EXPECT_EQ(support::encodeHex(deviceKeyY),
              "9099209accc4c8a224c843afa4f4c68a090d04da5e9889dae2f8eefce82a3740");

    // We're given Ephemeral reader key:
    //
    //   x: 59535862115950685744176693329402396749019581632805653266809849538337418304154
    //   y: 53776829996815113213100700404832701936765102413212294632483274374518863708344
    //   d: 20
    //
    vector<uint8_t> ephemeralReaderKey = p256PrivateKeyFromD(20);
    auto [ephemeralReaderKeyX, ephemeralReaderKeyY] = p256PrivateKeyGetXandY(ephemeralReaderKey);
    EXPECT_EQ(support::encodeHex(ephemeralReaderKeyX),
              "83a01a9378395bab9bcd6a0ad03cc56d56e6b19250465a94a234dc4c6b28da9a");
    EXPECT_EQ(support::encodeHex(ephemeralReaderKeyY),
              "76e49b6de2f73234ae6a5eb9d612b75c9f2202bb6923f54ff8240aaa86f640b8");
    vector<uint8_t> ephemeralReaderKeyPublic =
            support::ecKeyPairGetPublicKey(ephemeralReaderKey).value();

    // We're given SessionEstablishment.
    //
    //   SessionEstablishment = {
    //     "eReaderKey" : EReaderKeyBytes,
    //     "data" : bstr ; Encrypted mdoc request
    //   }
    //
    // Fish out EReaderKey from this.
    //
    // Note that the test vector below is incorrect insofar that it uses
    // "eReaderKeyBytes" instead of just "eReaderKey". This will be corrected in
    // the future.
    //
    optional<vector<uint8_t>> sessionEstablishmentEncoded = support::decodeHex(
            "a26f655265616465724b65794279746573d818584ba40102200121582083a01a9378395bab9bcd6a0ad03c"
            "c56d56e6b19250465a94a234dc4c6b28da9a22582076e49b6de2f73234ae6a5eb9d612b75c9f2202bb6923"
            "f54ff8240aaa86f640b864646174615902d945b31040c57491acb6d46a71f6c1f67a0b837df1bda9089fd0"
            "3d0b1fdac3eeb2874a4ef6f90c97d03397186ba00a91102faae7e992e15f761d5662c3c37e3c6c2cfd2ebc"
            "0bf59dbb8795e377bd7dd353230a41ba2d82294b45871a39b42ca531f26b52f46e356fbaf5075c8fd5b8b0"
            "8a0df4a1d2e1bdd2e5d69169c1efbb51e393e608d833d325bebfbccb2e15ec08f94b264582fa7b93f7cebc"
            "aa69f4f0cac2744d4fe35b04df26b2ae69273eed33024949080c1c95a6ef046beede959e9494297dd770af"
            "4ac6fdd56783aa012555c213dc05cf0f41d1c95119720fcfe1621027f80e2ddd56ea3c1fc596f7b2579333"
            "5a887ec788092b4a69d23b6219e27d0249b50b3fdcb95b5227007689362e0416b3bae3dae7cb56b4394666"
            "4e3a3f60dce8d0b678fcd754bebf87bd2b0278dd782d952488a46f2874e34c2dd97bb74084a62b850e9719"
            "252cd1dca7dbf1858193f6cf093cb3735312bbe1138cf29d8f350e285923f8ef07065299926720b42264e8"
            "fd5d4b133e72f47c4e999ea689c353f8b41e50a59838e1a0d09eca4a557f77a9c389a0591ad1639119ce86"
            "edc3320130480ee5101effae6066e8c85aac9ead2ae83e49c1e508aab02f753decbb522ea2200d62fd5d26"
            "094bd35100bffaa1cdc6af9f7e9cfe7b63da6b5671cd5ac2cf5da450c72addc64cde441f3b7f7fdaf930ad"
            "1e13388e8a7308d8ca4607e59e082db431a232e7e12cb692baeb4b2127e110ff24cea322ffdbc2e4d9c4c6"
            "bed27753137d07897c8613627a799a560cf1a2d1edb3de029442862940a5ed7785eea8b6ace93aa6af0792"
            "fd82877f62d07b757d0179ecbb7347004ecc9c0690d41f75f188cb17ffd2cec2ad8c9675466bb33b737a2a"
            "e7592b2dcb8132aced2e572266f3f5413a5f9d6d4339a1e4662622af2e7e157a4ea3bfd5c4247e2ec91d8c"
            "5c3c17427d5edfae673d0e0f782a8d40fa805fd8bc82ae3cb21a65cdad863e02309f6b01d1753fa884b778"
            "f6e019a2004d8964deeb11f1fd478fcb");
    ASSERT_TRUE(sessionEstablishmentEncoded);
    auto [sessionEstablishmentItem, _se, _se2] = cppbor::parse(sessionEstablishmentEncoded.value());
    const cppbor::Map* sessionEstablishment = sessionEstablishmentItem->asMap();
    ASSERT_NE(sessionEstablishment, nullptr);
    const cppbor::Semantic* eReaderKeyBytes =
            findSemanticValueForTstr(sessionEstablishment, "eReaderKeyBytes");
    ASSERT_NE(eReaderKeyBytes, nullptr);
    ASSERT_EQ(eReaderKeyBytes->value(), 24);
    const cppbor::Bstr* eReaderKeyBstr = eReaderKeyBytes->child()->asBstr();
    ASSERT_NE(eReaderKeyBstr, nullptr);
    vector<uint8_t> eReaderKeyEncoded = eReaderKeyBstr->value();
    // TODO: verify this agrees with ephemeralReaderKeyX and ephemeralReaderKeyY

    // We're given DeviceEngagement.
    //
    vector<uint8_t> deviceEngagementEncoded =
            support::decodeHex(
                    "a20063312e30018201d818584ba401022001215820cef66d6b2a3a993e591214d1ea223fb545ca"
                    "6c471c48306e4c36069404c5723f225820878662a229aaae906e123cdd9d3b4c10590ded29fe75"
                    "1eeeca34bbaa44af0773")
                    .value();

    // Now calculate SessionTranscriptBytes. It is defined as
    //
    //   SessionTranscript = [
    //      DeviceEngagementBytes,
    //      EReaderKeyBytes,
    //      Handover
    //   ]
    //
    //   SessionTranscriptBytes = #6.24(bstr .cbor SessionTranscript)
    //
    cppbor::Array sessionTranscript;
    sessionTranscript.add(cppbor::Semantic(24, deviceEngagementEncoded));
    sessionTranscript.add(cppbor::Semantic(24, eReaderKeyEncoded));
    sessionTranscript.add(cppbor::Null());
    vector<uint8_t> sessionTranscriptEncoded = sessionTranscript.encode();
    vector<uint8_t> sessionTranscriptBytes =
            cppbor::Semantic(24, sessionTranscriptEncoded).encode();

    // The expected EMacKey is 4c1ebb8aacc633465390fa44edfdb49cb57f2e079aaa771d812584699c0b97e2
    //
    // Verify that support::calcEMacKey() gets the same result.
    //
    optional<vector<uint8_t>> eMacKey =
            support::calcEMacKey(support::ecKeyPairGetPrivateKey(deviceKey).value(),  // private key
                                 ephemeralReaderKeyPublic,                            // public key
                                 sessionTranscriptBytes);  // sessionTranscriptBytes
    ASSERT_TRUE(eMacKey);
    ASSERT_EQ(support::encodeHex(eMacKey.value()),
              "4c1ebb8aacc633465390fa44edfdb49cb57f2e079aaa771d812584699c0b97e2");

    // Also do it the other way around
    //
    optional<vector<uint8_t>> eMacKey2 = support::calcEMacKey(
            support::ecKeyPairGetPrivateKey(ephemeralReaderKey).value(),  // private key
            support::ecKeyPairGetPublicKey(deviceKey).value(),            // public key
            sessionTranscriptBytes);                                      // sessionTranscriptBytes
    ASSERT_TRUE(eMacKey2);
    ASSERT_EQ(support::encodeHex(eMacKey2.value()),
              "4c1ebb8aacc633465390fa44edfdb49cb57f2e079aaa771d812584699c0b97e2");

    // We're given DeviceResponse
    //
    vector<uint8_t> deviceResponseEncoded =
            support::decodeHex(
                    "a36776657273696f6e63312e3069646f63756d656e747381a367646f6354797065756f72672e69"
                    "736f2e31383031332e352e312e6d444c6c6973737565725369676e6564a26a6e616d6553706163"
                    "6573a2716f72672e69736f2e31383031332e352e3181d8185863a4686469676573744944016672"
                    "616e646f6d58208798645b20ea200e19ffabac92624bee6aec63aceedecfb1b80077d22bfc20e9"
                    "71656c656d656e744964656e7469666965726b66616d696c795f6e616d656c656c656d656e7456"
                    "616c756563446f656b636f6d2e6578616d706c6581d8185864a468646967657374494401667261"
                    "6e646f6d5820218ecf13521b53f4b96abaebe56417afec0e4c91fc8fb26086cd1e5cdc1a94ff71"
                    "656c656d656e744964656e7469666965726f616e6f746865725f656c656d656e746c656c656d65"
                    "6e7456616c75650a6a697373756572417574688443a10126a118215901d2308201ce30820174a0"
                    "0302010202141f7d44f4f107c5ee3f566049cf5d72de294b0d23300a06082a8648ce3d04030230"
                    "233114301206035504030c0b75746f7069612069616361310b3009060355040613025553301e17"
                    "0d3230313030313030303030305a170d3231313030313030303030305a30213112301006035504"
                    "030c0975746f706961206473310b30090603550406130255533059301306072a8648ce3d020106"
                    "082a8648ce3d03010703420004301d9e502dc7e05da85da026a7ae9aa0fac9db7d52a95b3e3e3f"
                    "9aa0a1b45b8b6551b6f6b3061223e0d23c026b017d72298d9ae46887ca61d58db6aea17ee267a3"
                    "8187308184301e0603551d120417301581136578616d706c65406578616d706c652e636f6d301c"
                    "0603551d1f041530133011a00fa00d820b6578616d706c652e636f6d301d0603551d0e04160414"
                    "7bef4db59a1ffb07592bfc57f4743b8a73aea792300e0603551d0f0101ff040403020780301506"
                    "03551d250101ff040b3009060728818c5d050102300a06082a8648ce3d04030203480030450220"
                    "21d52fb1fbda80e5bfda1e8dfb1bc7bf0acb7261d5c9ff54425af76eb21571c602210082bf301f"
                    "89e0a2cb9ca9c9050352de80b47956764f7a3e07bf6a8cd87528a3b55901d2d8185901cda66776"
                    "657273696f6e63312e306f646967657374416c676f726974686d675348412d3235366c76616c75"
                    "6544696765737473a2716f72672e69736f2e31383031332e352e31a20058203b22af1126771f02"
                    "f0ea0d546d4ee3c5b51637381154f5211b79daf5f9facaa8015820f2cba0ce3cde5df901a3da75"
                    "13a4d7f7225fdfe5a306544529bf3dbcce655ca06b636f6d2e6578616d706c65a200582072636d"
                    "ddc282424a63499f4b3927aaa3b74da7b9c0134178bf735e949e4a761e01582006322d3cbe6603"
                    "876bdacc5b6679b51b0fc53d029c244fd5ea719d9028459c916d6465766963654b6579496e666f"
                    "a1696465766963654b6579a4010220012158203ed113b7883b4c590638379db0c21cda16742ed0"
                    "255048bf433391d374bc21d12258209099209accc4c8a224c843afa4f4c68a090d04da5e9889da"
                    "e2f8eefce82a374067646f6354797065756f72672e69736f2e31383031332e352e312e6d444c6c"
                    "76616c6964697479496e666fa3667369676e6564c074323032302d31302d30315431333a33303a"
                    "30325a6976616c696446726f6dc074323032302d31302d30315431333a33303a30325a6a76616c"
                    "6964556e74696cc074323032312d31302d30315431333a33303a30325a5840273ec1b59817d571"
                    "b5a2c5c0ab0ea213d42acb18547fd7097afcc888a22ecbb863c6461ce0e240880895b4aaa84308"
                    "784571c7be7aa3a2e7e3a2ea1a145ed1966c6465766963655369676e6564a26a6e616d65537061"
                    "636573d81841a06a64657669636541757468a1696465766963654d61638443a10105a0f6582009"
                    "da7c964ac004ec36ec64edd0c1abf50c03433c215c3ddb144768abcdf20a60667374617475730"
                    "0")
                    .value();
    auto [deviceResponseItem, _, _2] = cppbor::parse(deviceResponseEncoded);
    const cppbor::Map* deviceResponse = deviceResponseItem->asMap();
    ASSERT_NE(deviceResponse, nullptr);
    const cppbor::Array* documents = findArrayValueForTstr(deviceResponse, "documents");
    ASSERT_NE(documents, nullptr);
    ASSERT_EQ(documents->size(), 1);
    const cppbor::Map* document = ((*documents)[0])->asMap();
    ASSERT_NE(document, nullptr);

    // Get docType
    string docType = findStringValueForTstr(document, "docType");
    ASSERT_EQ(docType, "org.iso.18013.5.1.mDL");

    // Drill down...
    const cppbor::Map* deviceSigned = findMapValueForTstr(document, "deviceSigned");
    ASSERT_NE(deviceSigned, nullptr);

    // Dig out the encoded form of DeviceNameSpaces
    //
    const cppbor::Semantic* deviceNameSpacesBytes =
            findSemanticValueForTstr(deviceSigned, "nameSpaces");
    ASSERT_NE(deviceNameSpacesBytes, nullptr);
    ASSERT_EQ(deviceNameSpacesBytes->value(), 24);
    const cppbor::Bstr* deviceNameSpacesBstr = deviceNameSpacesBytes->child()->asBstr();
    ASSERT_NE(deviceNameSpacesBstr, nullptr);
    vector<uint8_t> deviceNameSpacesEncoded = deviceNameSpacesBstr->value();

    // (For this version of 18013-5, DeviceNameSpaces is always supposed to be empty, check that.)
    EXPECT_EQ(deviceNameSpacesEncoded, cppbor::Map().encode());

    const cppbor::Map* deviceAuth = findMapValueForTstr(deviceSigned, "deviceAuth");
    ASSERT_NE(deviceAuth, nullptr);
    // deviceMac is is the COSE_Mac0.. dig out the encoded form to check that
    // support::calcMac() gives exactly the same bytes.
    //
    const cppbor::Array* deviceMac = findArrayValueForTstr(deviceAuth, "deviceMac");
    ASSERT_NE(deviceMac, nullptr);
    vector<uint8_t> deviceMacEncoded = deviceMac->encode();

    // Now we calculate what it should be..
    optional<vector<uint8_t>> calculatedMac =
            support::calcMac(sessionTranscriptEncoded,  // SessionTranscript
                             docType,                   // DocType
                             deviceNameSpacesEncoded,   // DeviceNamespaces
                             eMacKey.value());          // EMacKey
    ASSERT_TRUE(calculatedMac);

    // ... and hopefully it's the same!
    ASSERT_EQ(calculatedMac.value().size(), deviceMacEncoded.size());
    EXPECT_TRUE(memcmp(calculatedMac.value().data(), deviceMacEncoded.data(),
                       deviceMacEncoded.size()) == 0);
}

}  // namespace identity
}  // namespace hardware
}  // namespace android

int main(int argc, char** argv) {
    ::testing::InitGoogleTest(&argc, argv);
    return RUN_ALL_TESTS();
}