Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / c75ac31ec97c9a6116403355bc61e3976fe44074 / . / identity / 1.0 / vts / functional / VtsHalIdentityCredentialTargetTest.cpp
blob: 903e912b8344c2b6ef2b6992c4f6b0b4fb16a5ea [file] [log] [blame]
David Zeuthenc75ac312019-10-28 13:16:45 -0400[diff] [blame^]1/*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#define LOG_TAG "IdentityCredentialHidlHalTest"
18
19#include <map>
20
21#include <android-base/logging.h>
22#include <android/hardware/identity/1.0/IIdentityCredentialStore.h>
23#include <android/hardware/identity/1.0/types.h>
24#include <android/hardware/identity/support/IdentityCredentialSupport.h>
25
26#include <cppbor.h>
27#include <cppbor_parse.h>
28#include <gtest/gtest.h>
29#include <hidl/GtestPrinter.h>
30#include <hidl/ServiceManagement.h>
31
32using std::map;
33using std::optional;
34using std::string;
35using std::vector;
36
37namespace android {
38namespace hardware {
39namespace identity {
40namespace test {
41
42using ::android::hardware::identity::V1_0::IIdentityCredential;
43using ::android::hardware::identity::V1_0::IIdentityCredentialStore;
44using ::android::hardware::identity::V1_0::IWritableIdentityCredential;
45using ::android::hardware::identity::V1_0::Result;
46using ::android::hardware::identity::V1_0::ResultCode;
47using ::android::hardware::identity::V1_0::SecureAccessControlProfile;
48using ::android::hardware::keymaster::V4_0::HardwareAuthToken;
49
50// ---------------------------------------------------------------------------
51// Test Data.
52// ---------------------------------------------------------------------------
53
54struct TestEntryData {
55 TestEntryData(string nameSpace, string name, vector<uint16_t> profileIds)
56 : nameSpace(nameSpace), name(name), profileIds(profileIds) {}
57
58 TestEntryData(string nameSpace, string name, const string& value, vector<uint16_t> profileIds)
59 : TestEntryData(nameSpace, name, profileIds) {
60 valueCbor = cppbor::Tstr(((const char*)value.data())).encode();
61 }
62 TestEntryData(string nameSpace, string name, const vector<uint8_t>& value,
63 vector<uint16_t> profileIds)
64 : TestEntryData(nameSpace, name, profileIds) {
65 valueCbor = cppbor::Bstr(value).encode();
66 }
67 TestEntryData(string nameSpace, string name, bool value, vector<uint16_t> profileIds)
68 : TestEntryData(nameSpace, name, profileIds) {
69 valueCbor = cppbor::Bool(value).encode();
70 }
71 TestEntryData(string nameSpace, string name, int64_t value, vector<uint16_t> profileIds)
72 : TestEntryData(nameSpace, name, profileIds) {
73 if (value >= 0) {
74 valueCbor = cppbor::Uint(value).encode();
75 } else {
76 valueCbor = cppbor::Nint(-value).encode();
77 }
78 }
79
80 string nameSpace;
81 string name;
82 vector<uint8_t> valueCbor;
83 vector<uint16_t> profileIds;
84};
85
86struct TestProfile {
87 uint16_t id;
88 hidl_vec<uint8_t> readerCertificate;
89 bool userAuthenticationRequired;
90 uint64_t timeoutMillis;
91};
92
93/************************************
94 * TEST DATA FOR AUTHENTICATION
95 ************************************/
96// Test authentication token for user authentication
97
98class IdentityCredentialStoreHidlTest : public ::testing::TestWithParam<std::string> {
99 public:
100 virtual void SetUp() override {
101 string serviceName = GetParam();
102 ASSERT_FALSE(serviceName.empty());
103 credentialStore_ = IIdentityCredentialStore::getService(serviceName);
104 ASSERT_NE(credentialStore_, nullptr);
105
106 credentialStore_->getHardwareInformation(
107 [&](const Result& result, const hidl_string& credentialStoreName,
108 const hidl_string& credentialStoreAuthorName, uint32_t chunkSize,
109 bool /* isDirectAccess */,
110 const hidl_vec<hidl_string> /* supportedDocTypes */) {
111 EXPECT_EQ("", result.message);
112 ASSERT_EQ(ResultCode::OK, result.code);
113 ASSERT_GT(credentialStoreName.size(), 0u);
114 ASSERT_GT(credentialStoreAuthorName.size(), 0u);
115 ASSERT_GE(chunkSize, 256u); // Chunk sizes < APDU buffer won't be supported
116 dataChunkSize_ = chunkSize;
117 });
118 }
119 virtual void TearDown() override {}
120
121 uint32_t dataChunkSize_ = 0;
122
123 sp<IIdentityCredentialStore> credentialStore_;
124};
125
126TEST_P(IdentityCredentialStoreHidlTest, HardwareConfiguration) {
127 credentialStore_->getHardwareInformation(
128 [&](const Result& result, const hidl_string& credentialStoreName,
129 const hidl_string& credentialStoreAuthorName, uint32_t chunkSize,
130 bool /* isDirectAccess */, const hidl_vec<hidl_string> /* supportedDocTypes */) {
131 EXPECT_EQ("", result.message);
132 ASSERT_EQ(ResultCode::OK, result.code);
133 ASSERT_GT(credentialStoreName.size(), 0u);
134 ASSERT_GT(credentialStoreAuthorName.size(), 0u);
135 ASSERT_GE(chunkSize, 256u); // Chunk sizes < APDU buffer won't be supported
136 });
137}
138
139TEST_P(IdentityCredentialStoreHidlTest, createAndRetrieveCredential) {
140 // First, generate a key-pair for the reader since its public key will be
141 // part of the request data.
142 optional<vector<uint8_t>> readerKeyPKCS8 = support::createEcKeyPair();
143 ASSERT_TRUE(readerKeyPKCS8);
144 optional<vector<uint8_t>> readerPublicKey =
145 support::ecKeyPairGetPublicKey(readerKeyPKCS8.value());
146 optional<vector<uint8_t>> readerKey = support::ecKeyPairGetPrivateKey(readerKeyPKCS8.value());
147 string serialDecimal = "1234";
148 string issuer = "Android Open Source Project";
149 string subject = "Android IdentityCredential VTS Test";
150 time_t validityNotBefore = time(nullptr);
151 time_t validityNotAfter = validityNotBefore + 365 * 24 * 3600;
152 optional<vector<uint8_t>> readerCertificate = support::ecPublicKeyGenerateCertificate(
153 readerPublicKey.value(), readerKey.value(), serialDecimal, issuer, subject,
154 validityNotBefore, validityNotAfter);
155 ASSERT_TRUE(readerCertificate);
156
157 // Make the portrait image really big (just shy of 256 KiB) to ensure that
158 // the chunking code gets exercised.
159 vector<uint8_t> portraitImage;
160 portraitImage.resize(256 * 1024 - 10);
161 for (size_t n = 0; n < portraitImage.size(); n++) {
162 portraitImage[n] = (uint8_t)n;
163 }
164
165 // Access control profiles:
166 const vector<TestProfile> testProfiles = {// Profile 0 (reader authentication)
167 {0, readerCertificate.value(), false, 0},
168 // Profile 1 (no authentication)
169 {1, {}, false, 0}};
170
171 HardwareAuthToken authToken = {};
172
173 // Here's the actual test data:
174 const vector<TestEntryData> testEntries = {
175 {"PersonalData", "Last name", string("Turing"), vector<uint16_t>{0, 1}},
176 {"PersonalData", "Birth date", string("19120623"), vector<uint16_t>{0, 1}},
177 {"PersonalData", "First name", string("Alan"), vector<uint16_t>{0, 1}},
178 {"PersonalData", "Home address", string("Maida Vale, London, England"),
179 vector<uint16_t>{0}},
180 {"Image", "Portrait image", portraitImage, vector<uint16_t>{0, 1}},
181 };
182 const vector<uint16_t> testEntriesEntryCounts = {static_cast<uint16_t>(testEntries.size() - 1),
183 1u};
184
185 string cborPretty;
186 sp<IWritableIdentityCredential> writableCredential;
187
188 hidl_vec<uint8_t> empty{0};
189
190 string docType = "org.iso.18013-5.2019.mdl";
191 bool testCredential = true;
192 Result result;
193 credentialStore_->createCredential(
194 docType, testCredential,
195 [&](const Result& _result, const sp<IWritableIdentityCredential>& _writableCredential) {
196 result = _result;
197 writableCredential = _writableCredential;
198 });
199 EXPECT_EQ("", result.message);
200 ASSERT_EQ(ResultCode::OK, result.code);
201 ASSERT_NE(writableCredential, nullptr);
202
203 string challenge = "attestationChallenge";
204 vector<uint8_t> attestationChallenge(challenge.begin(), challenge.end());
205 vector<uint8_t> attestationCertificate;
206 writableCredential->getAttestationCertificate(
207 attestationChallenge,
208 [&](const Result& _result, const hidl_vec<uint8_t>& _attestationCertificate) {
209 result = _result;
210 attestationCertificate = _attestationCertificate;
211 });
212 EXPECT_EQ("", result.message);
213 ASSERT_EQ(ResultCode::OK, result.code);
214
215 writableCredential->startPersonalization(testProfiles.size(), testEntriesEntryCounts,
216 [&](const Result& _result) { result = _result; });
217 EXPECT_EQ("", result.message);
218 ASSERT_EQ(ResultCode::OK, result.code);
219
220 vector<SecureAccessControlProfile> returnedSecureProfiles;
221 for (const auto& testProfile : testProfiles) {
222 SecureAccessControlProfile profile;
223 writableCredential->addAccessControlProfile(
224 testProfile.id, testProfile.readerCertificate,
225 testProfile.userAuthenticationRequired, testProfile.timeoutMillis,
226 0, // secureUserId
227 [&](const Result& _result, const SecureAccessControlProfile& _profile) {
228 result = _result;
229 profile = _profile;
230 });
231 EXPECT_EQ("", result.message);
232 ASSERT_EQ(ResultCode::OK, result.code);
233 ASSERT_EQ(testProfile.id, profile.id);
234 ASSERT_EQ(testProfile.readerCertificate, profile.readerCertificate);
235 ASSERT_EQ(testProfile.userAuthenticationRequired, profile.userAuthenticationRequired);
236 ASSERT_EQ(testProfile.timeoutMillis, profile.timeoutMillis);
237 ASSERT_EQ(support::kAesGcmTagSize + support::kAesGcmIvSize, profile.mac.size());
238 returnedSecureProfiles.push_back(profile);
239 }
240
241 // Uses TestEntryData* pointer as key and values are the encrypted blobs. This
242 // is a little hacky but it works well enough.
243 map<const TestEntryData*, vector<vector<uint8_t>>> encryptedBlobs;
244
245 for (const auto& entry : testEntries) {
246 vector<vector<uint8_t>> chunks = support::chunkVector(entry.valueCbor, dataChunkSize_);
247
248 writableCredential->beginAddEntry(entry.profileIds, entry.nameSpace, entry.name,
249 entry.valueCbor.size(),
250 [&](const Result& _result) { result = _result; });
251 EXPECT_EQ("", result.message);
252 ASSERT_EQ(ResultCode::OK, result.code);
253
254 vector<vector<uint8_t>> encryptedChunks;
255 for (const auto& chunk : chunks) {
256 writableCredential->addEntryValue(
257 chunk, [&](const Result& result, hidl_vec<uint8_t> encryptedContent) {
258 EXPECT_EQ("", result.message);
259 ASSERT_EQ(ResultCode::OK, result.code);
260 ASSERT_GT(encryptedContent.size(), 0u);
261 encryptedChunks.push_back(encryptedContent);
262 });
263 }
264 encryptedBlobs[&entry] = encryptedChunks;
265 }
266
267 vector<uint8_t> credentialData;
268 vector<uint8_t> proofOfProvisioningSignature;
269 writableCredential->finishAddingEntries(
270 [&](const Result& _result, const hidl_vec<uint8_t>& _credentialData,
271 const hidl_vec<uint8_t>& _proofOfProvisioningSignature) {
272 result = _result;
273 credentialData = _credentialData;
274 proofOfProvisioningSignature = _proofOfProvisioningSignature;
275 });
276 EXPECT_EQ("", result.message);
277 ASSERT_EQ(ResultCode::OK, result.code);
278
279 optional<vector<uint8_t>> proofOfProvisioning =
280 support::coseSignGetPayload(proofOfProvisioningSignature);
281 ASSERT_TRUE(proofOfProvisioning);
282 cborPretty = support::cborPrettyPrint(proofOfProvisioning.value(), 32, {"readerCertificate"});
283 EXPECT_EQ(
284 "[\n"
285 " 'ProofOfProvisioning',\n"
286 " 'org.iso.18013-5.2019.mdl',\n"
287 " [\n"
288 " {\n"
289 " 'id' : 0,\n"
290 " 'readerCertificate' : <not printed>,\n"
291 " },\n"
292 " {\n"
293 " 'id' : 1,\n"
294 " },\n"
295 " ],\n"
296 " {\n"
297 " 'PersonalData' : [\n"
298 " {\n"
299 " 'name' : 'Last name',\n"
300 " 'value' : 'Turing',\n"
301 " 'accessControlProfiles' : [0, 1, ],\n"
302 " },\n"
303 " {\n"
304 " 'name' : 'Birth date',\n"
305 " 'value' : '19120623',\n"
306 " 'accessControlProfiles' : [0, 1, ],\n"
307 " },\n"
308 " {\n"
309 " 'name' : 'First name',\n"
310 " 'value' : 'Alan',\n"
311 " 'accessControlProfiles' : [0, 1, ],\n"
312 " },\n"
313 " {\n"
314 " 'name' : 'Home address',\n"
315 " 'value' : 'Maida Vale, London, England',\n"
316 " 'accessControlProfiles' : [0, ],\n"
317 " },\n"
318 " ],\n"
319 " 'Image' : [\n"
320 " {\n"
321 " 'name' : 'Portrait image',\n"
322 " 'value' : <bstr size=262134 sha1=941e372f654d86c32d88fae9e41b706afbfd02bb>,\n"
323 " 'accessControlProfiles' : [0, 1, ],\n"
324 " },\n"
325 " ],\n"
326 " },\n"
327 " true,\n"
328 "]",
329 cborPretty);
330
331 optional<vector<uint8_t>> credentialPubKey =
332 support::certificateChainGetTopMostKey(attestationCertificate);
333 ASSERT_TRUE(credentialPubKey);
334 EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfProvisioningSignature,
335 {}, // Additional data
336 credentialPubKey.value()));
337 writableCredential = nullptr;
338
339 // Now that the credential has been provisioned, read it back and check the
340 // correct data is returned.
341 sp<IIdentityCredential> credential;
342 credentialStore_->getCredential(
343 credentialData, [&](const Result& _result, const sp<IIdentityCredential>& _credential) {
344 result = _result;
345 credential = _credential;
346 });
347 EXPECT_EQ("", result.message);
348 ASSERT_EQ(ResultCode::OK, result.code);
349 ASSERT_NE(credential, nullptr);
350
351 optional<vector<uint8_t>> readerEphemeralKeyPair = support::createEcKeyPair();
352 ASSERT_TRUE(readerEphemeralKeyPair);
353 optional<vector<uint8_t>> readerEphemeralPublicKey =
354 support::ecKeyPairGetPublicKey(readerEphemeralKeyPair.value());
355 credential->setReaderEphemeralPublicKey(readerEphemeralPublicKey.value(),
356 [&](const Result& _result) { result = _result; });
357 EXPECT_EQ("", result.message);
358 ASSERT_EQ(ResultCode::OK, result.code);
359
360 vector<uint8_t> ephemeralKeyPair;
361 credential->createEphemeralKeyPair(
362 [&](const Result& _result, const hidl_vec<uint8_t>& _ephemeralKeyPair) {
363 result = _result;
364 ephemeralKeyPair = _ephemeralKeyPair;
365 });
366 EXPECT_EQ("", result.message);
367 ASSERT_EQ(ResultCode::OK, result.code);
368 optional<vector<uint8_t>> ephemeralPublicKey = support::ecKeyPairGetPublicKey(ephemeralKeyPair);
369
370 // Calculate requestData field and sign it with the reader key.
371 auto [getXYSuccess, ephX, ephY] = support::ecPublicKeyGetXandY(ephemeralPublicKey.value());
372 ASSERT_TRUE(getXYSuccess);
373 cppbor::Map deviceEngagement = cppbor::Map().add("ephX", ephX).add("ephY", ephY);
374 vector<uint8_t> deviceEngagementBytes = deviceEngagement.encode();
375 vector<uint8_t> eReaderPubBytes = cppbor::Tstr("ignored").encode();
376 cppbor::Array sessionTranscript = cppbor::Array()
377 .add(cppbor::Semantic(24, deviceEngagementBytes))
378 .add(cppbor::Semantic(24, eReaderPubBytes));
379 vector<uint8_t> sessionTranscriptBytes = sessionTranscript.encode();
380
381 vector<uint8_t> itemsRequestBytes =
382 cppbor::Map("nameSpaces",
383 cppbor::Map()
384 .add("PersonalData", cppbor::Map()
385 .add("Last name", false)
386 .add("Birth date", false)
387 .add("First name", false)
388 .add("Home address", true))
389 .add("Image", cppbor::Map().add("Portrait image", false)))
390 .encode();
391 cborPretty = support::cborPrettyPrint(itemsRequestBytes, 32, {"EphemeralPublicKey"});
392 EXPECT_EQ(
393 "{\n"
394 " 'nameSpaces' : {\n"
395 " 'PersonalData' : {\n"
396 " 'Last name' : false,\n"
397 " 'Birth date' : false,\n"
398 " 'First name' : false,\n"
399 " 'Home address' : true,\n"
400 " },\n"
401 " 'Image' : {\n"
402 " 'Portrait image' : false,\n"
403 " },\n"
404 " },\n"
405 "}",
406 cborPretty);
407 vector<uint8_t> dataToSign = cppbor::Array()
408 .add("ReaderAuthentication")
409 .add(sessionTranscript.clone())
410 .add(cppbor::Semantic(24, itemsRequestBytes))
411 .encode();
412 optional<vector<uint8_t>> readerSignature =
413 support::coseSignEcDsa(readerKey.value(), {}, // content
414 dataToSign, // detached content
415 readerCertificate.value());
416 ASSERT_TRUE(readerSignature);
417
418 credential->startRetrieval(returnedSecureProfiles, authToken, itemsRequestBytes,
419 sessionTranscriptBytes, readerSignature.value(),
420 testEntriesEntryCounts,
421 [&](const Result& _result) { result = _result; });
422 EXPECT_EQ("", result.message);
423 ASSERT_EQ(ResultCode::OK, result.code);
424
425 for (const auto& entry : testEntries) {
426 credential->startRetrieveEntryValue(entry.nameSpace, entry.name, entry.valueCbor.size(),
427 entry.profileIds,
428 [&](const Result& _result) { result = _result; });
429 EXPECT_EQ("", result.message);
430 ASSERT_EQ(ResultCode::OK, result.code);
431
432 auto it = encryptedBlobs.find(&entry);
433 ASSERT_NE(it, encryptedBlobs.end());
434 const vector<vector<uint8_t>>& encryptedChunks = it->second;
435
436 vector<uint8_t> content;
437 for (const auto& encryptedChunk : encryptedChunks) {
438 vector<uint8_t> chunk;
439 credential->retrieveEntryValue(
440 encryptedChunk, [&](const Result& _result, const hidl_vec<uint8_t>& _chunk) {
441 result = _result;
442 chunk = _chunk;
443 });
444 EXPECT_EQ("", result.message);
445 ASSERT_EQ(ResultCode::OK, result.code);
446 content.insert(content.end(), chunk.begin(), chunk.end());
447 }
448 EXPECT_EQ(content, entry.valueCbor);
449 }
450
451 // Generate the key that will be used to sign AuthenticatedData.
452 vector<uint8_t> signingKeyBlob;
453 vector<uint8_t> signingKeyCertificate;
454 credential->generateSigningKeyPair([&](const Result& _result,
455 const hidl_vec<uint8_t> _signingKeyBlob,
456 const hidl_vec<uint8_t> _signingKeyCertificate) {
457 result = _result;
458 signingKeyBlob = _signingKeyBlob;
459 signingKeyCertificate = _signingKeyCertificate;
460 });
461 EXPECT_EQ("", result.message);
462 ASSERT_EQ(ResultCode::OK, result.code);
463
464 vector<uint8_t> mac;
465 vector<uint8_t> deviceNameSpacesBytes;
466 credential->finishRetrieval(signingKeyBlob,
467 [&](const Result& _result, const hidl_vec<uint8_t> _mac,
468 const hidl_vec<uint8_t> _deviceNameSpacesBytes) {
469 result = _result;
470 mac = _mac;
471 deviceNameSpacesBytes = _deviceNameSpacesBytes;
472 });
473 EXPECT_EQ("", result.message);
474 ASSERT_EQ(ResultCode::OK, result.code);
475 cborPretty = support::cborPrettyPrint(deviceNameSpacesBytes, 32, {});
476 ASSERT_EQ(
477 "{\n"
478 " 'PersonalData' : {\n"
479 " 'Last name' : 'Turing',\n"
480 " 'Birth date' : '19120623',\n"
481 " 'First name' : 'Alan',\n"
482 " 'Home address' : 'Maida Vale, London, England',\n"
483 " },\n"
484 " 'Image' : {\n"
485 " 'Portrait image' : <bstr size=262134 "
486 "sha1=941e372f654d86c32d88fae9e41b706afbfd02bb>,\n"
487 " },\n"
488 "}",
489 cborPretty);
490 // The data that is MACed is ["DeviceAuthentication", sessionTranscriptBytes, docType,
491 // deviceNameSpacesBytes] so build up that structure
492 cppbor::Array deviceAuthentication;
493 deviceAuthentication.add("DeviceAuthentication");
494 deviceAuthentication.add(sessionTranscript.clone());
495 deviceAuthentication.add(docType);
496 deviceAuthentication.add(cppbor::Semantic(24, deviceNameSpacesBytes));
497 vector<uint8_t> encodedDeviceAuthentication = deviceAuthentication.encode();
498 optional<vector<uint8_t>> signingPublicKey =
499 support::certificateChainGetTopMostKey(signingKeyCertificate);
500 EXPECT_TRUE(signingPublicKey);
501
502 // Derive the key used for MACing.
503 optional<vector<uint8_t>> readerEphemeralPrivateKey =
504 support::ecKeyPairGetPrivateKey(readerEphemeralKeyPair.value());
505 optional<vector<uint8_t>> sharedSecret =
506 support::ecdh(signingPublicKey.value(), readerEphemeralPrivateKey.value());
507 ASSERT_TRUE(sharedSecret);
508 vector<uint8_t> salt = {0x00};
509 vector<uint8_t> info = {};
510 optional<vector<uint8_t>> derivedKey = support::hkdf(sharedSecret.value(), salt, info, 32);
511 ASSERT_TRUE(derivedKey);
512 optional<vector<uint8_t>> calculatedMac =
513 support::coseMac0(derivedKey.value(), {}, // payload
514 encodedDeviceAuthentication); // detached content
515 ASSERT_TRUE(calculatedMac);
516 EXPECT_EQ(mac, calculatedMac);
517}
518
519INSTANTIATE_TEST_SUITE_P(PerInstance, IdentityCredentialStoreHidlTest,
520 testing::ValuesIn(android::hardware::getAllHalInstanceNames(
521 IIdentityCredentialStore::descriptor)),
522 android::hardware::PrintInstanceNameToString);
523
524} // namespace test
525} // namespace identity
526} // namespace hardware
527} // namespace android