Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 21927e2ddde42cac9264a5cfa249aa143c15bec6 / . / identity / aidl / vts / TestCredentialTests.cpp
blob: d53de3b073e76294c5e5a8c3d7f9530bf5789cb2 [file] [log] [blame]
David Zeuthen49f2d252020-10-16 11:27:24 -0400[diff] [blame]1/*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "TestCredentialTests"
18
19#include <aidl/Gtest.h>
20#include <aidl/Vintf.h>
21#include <aidl/android/hardware/keymaster/HardwareAuthToken.h>
22#include <aidl/android/hardware/keymaster/VerificationToken.h>
23#include <android-base/logging.h>
24#include <android/hardware/identity/IIdentityCredentialStore.h>
25#include <android/hardware/identity/support/IdentityCredentialSupport.h>
26#include <binder/IServiceManager.h>
27#include <binder/ProcessState.h>
28#include <cppbor.h>
29#include <cppbor_parse.h>
30#include <gtest/gtest.h>
31#include <future>
32#include <map>
33#include <utility>
34
35#include "Util.h"
36
37namespace android::hardware::identity {
38
39using std::endl;
40using std::make_pair;
41using std::map;
42using std::optional;
43using std::pair;
44using std::string;
45using std::tie;
46using std::vector;
47
48using ::android::sp;
49using ::android::String16;
50using ::android::binder::Status;
51
52using ::android::hardware::keymaster::HardwareAuthToken;
53using ::android::hardware::keymaster::VerificationToken;
54
55class TestCredentialTests : public testing::TestWithParam<string> {
56 public:
57 virtual void SetUp() override {
58 string halInstanceName = GetParam();
59 credentialStore_ = android::waitForDeclaredService<IIdentityCredentialStore>(
60 String16(halInstanceName.c_str()));
61 ASSERT_NE(credentialStore_, nullptr);
62 halApiVersion_ = credentialStore_->getInterfaceVersion();
63 }
64
65 sp<IIdentityCredentialStore> credentialStore_;
66 int halApiVersion_;
67};
68
69TEST_P(TestCredentialTests, testCredential) {
70 string docType = "org.iso.18013-5.2019.mdl";
71 sp<IWritableIdentityCredential> wc;
72 ASSERT_TRUE(credentialStore_
73 ->createCredential(docType,
74 true, // testCredential
75 &wc)
76 .isOk());
77
78 vector<uint8_t> attestationApplicationId = {};
79 vector<uint8_t> attestationChallenge = {1};
80 vector<Certificate> certChain;
81 ASSERT_TRUE(wc->getAttestationCertificate(attestationApplicationId, attestationChallenge,
82 &certChain)
83 .isOk());
84
85 optional<vector<uint8_t>> optCredentialPubKey =
86 support::certificateChainGetTopMostKey(certChain[0].encodedCertificate);
87 ASSERT_TRUE(optCredentialPubKey);
88 vector<uint8_t> credentialPubKey;
89 credentialPubKey = optCredentialPubKey.value();
90
91 size_t proofOfProvisioningSize = 112;
92 // Not in v1 HAL, may fail
93 wc->setExpectedProofOfProvisioningSize(proofOfProvisioningSize);
94
95 ASSERT_TRUE(wc->startPersonalization(1 /* numAccessControlProfiles */,
96 {1} /* numDataElementsPerNamespace */)
97 .isOk());
98
99 // Access control profile 0: open access - don't care about the returned SACP
100 SecureAccessControlProfile sacp;
101 ASSERT_TRUE(wc->addAccessControlProfile(1, {}, false, 0, 0, &sacp).isOk());
102
103 // Single entry - don't care about the returned encrypted data
104 vector<uint8_t> encryptedData;
105 vector<uint8_t> tstrLastName = cppbor::Tstr("Turing").encode();
106 ASSERT_TRUE(wc->beginAddEntry({1}, "ns", "Last name", tstrLastName.size()).isOk());
107 ASSERT_TRUE(wc->addEntryValue(tstrLastName, &encryptedData).isOk());
108
109 vector<uint8_t> proofOfProvisioningSignature;
110 vector<uint8_t> credentialData;
111 Status status = wc->finishAddingEntries(&credentialData, &proofOfProvisioningSignature);
112 EXPECT_TRUE(status.isOk()) << status.exceptionCode() << ": " << status.exceptionMessage();
113
114 optional<vector<uint8_t>> proofOfProvisioning =
115 support::coseSignGetPayload(proofOfProvisioningSignature);
116 ASSERT_TRUE(proofOfProvisioning);
117 string cborPretty = support::cborPrettyPrint(proofOfProvisioning.value(), 32, {});
118 EXPECT_EQ(
119 "[\n"
120 " 'ProofOfProvisioning',\n"
121 " 'org.iso.18013-5.2019.mdl',\n"
122 " [\n"
123 " {\n"
124 " 'id' : 1,\n"
125 " },\n"
126 " ],\n"
127 " {\n"
128 " 'ns' : [\n"
129 " {\n"
130 " 'name' : 'Last name',\n"
131 " 'value' : 'Turing',\n"
132 " 'accessControlProfiles' : [1, ],\n"
133 " },\n"
134 " ],\n"
135 " },\n"
136 " true,\n"
137 "]",
138 cborPretty);
139 // Make sure it's signed by the CredentialKey in the returned cert chain.
140 EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfProvisioningSignature,
141 {}, // Additional data
142 credentialPubKey));
143
144 // Now analyze credentialData..
145 auto [item, _, message] = cppbor::parse(credentialData);
146 ASSERT_NE(item, nullptr);
147 const cppbor::Array* arrayItem = item->asArray();
148 ASSERT_NE(arrayItem, nullptr);
149 ASSERT_EQ(arrayItem->size(), 3);
150 const cppbor::Tstr* docTypeItem = (*arrayItem)[0]->asTstr();
151 const cppbor::Bool* testCredentialItem =
152 ((*arrayItem)[1]->asSimple() != nullptr ? ((*arrayItem)[1]->asSimple()->asBool())
153 : nullptr);
154 EXPECT_EQ(docTypeItem->value(), docType);
155 EXPECT_EQ(testCredentialItem->value(), true);
156
157 vector<uint8_t> hardwareBoundKey = support::getTestHardwareBoundKey();
158 const cppbor::Bstr* encryptedCredentialKeysItem = (*arrayItem)[2]->asBstr();
159 const vector<uint8_t>& encryptedCredentialKeys = encryptedCredentialKeysItem->value();
160 const vector<uint8_t> docTypeVec(docType.begin(), docType.end());
161 optional<vector<uint8_t>> decryptedCredentialKeys =
162 support::decryptAes128Gcm(hardwareBoundKey, encryptedCredentialKeys, docTypeVec);
163 ASSERT_TRUE(decryptedCredentialKeys);
164 auto [dckItem, dckPos, dckMessage] = cppbor::parse(decryptedCredentialKeys.value());
165 ASSERT_NE(dckItem, nullptr) << dckMessage;
166 const cppbor::Array* dckArrayItem = dckItem->asArray();
167 ASSERT_NE(dckArrayItem, nullptr);
168 // In HAL API version 1 and 2 this array has two items, in version 3 and later it has three.
169 if (halApiVersion_ < 3) {
170 ASSERT_EQ(dckArrayItem->size(), 2);
171 } else {
172 ASSERT_EQ(dckArrayItem->size(), 3);
173 }
174 const cppbor::Bstr* storageKeyItem = (*dckArrayItem)[0]->asBstr();
175 const vector<uint8_t> storageKey = storageKeyItem->value();
176 // const cppbor::Bstr* credentialPrivKeyItem = (*dckArrayItem)[1]->asBstr();
177 // const vector<uint8_t> credentialPrivKey = credentialPrivKeyItem->value();
178
179 // Check storageKey can be used to decrypt |encryptedData| to |tstrLastName|
180 vector<uint8_t> additionalData = cppbor::Map()
181 .add("Namespace", "ns")
182 .add("Name", "Last name")
183 .add("AccessControlProfileIds", cppbor::Array().add(1))
184 .encode();
185 optional<vector<uint8_t>> decryptedDataItemValue =
186 support::decryptAes128Gcm(storageKey, encryptedData, additionalData);
187 ASSERT_TRUE(decryptedDataItemValue);
188 EXPECT_EQ(decryptedDataItemValue.value(), tstrLastName);
189
190 // Check that SHA-256(ProofOfProvisioning) matches (only in HAL API version 3)
191 if (halApiVersion_ >= 3) {
192 const cppbor::Bstr* popSha256Item = (*dckArrayItem)[2]->asBstr();
193 const vector<uint8_t> popSha256 = popSha256Item->value();
194 ASSERT_EQ(popSha256, support::sha256(proofOfProvisioning.value()));
195 }
196}
197
198GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(TestCredentialTests);
199INSTANTIATE_TEST_SUITE_P(
200 Identity, TestCredentialTests,
201 testing::ValuesIn(android::getAidlHalInstanceNames(IIdentityCredentialStore::descriptor)),
202 android::PrintInstanceNameToString);
203
204} // namespace android::hardware::identity