Merge "Fixed auth_token_table tests"
diff --git a/keystore/Android.bp b/keystore/Android.bp
index 7bc1c20..68a81e6 100644
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@@ -204,13 +204,15 @@
name: "libkeystore_test",
defaults: ["keystore_defaults"],
- srcs: ["auth_token_table.cpp"],
+ srcs: [
+ "auth_token_table.cpp",
+ "authorization_set.cpp",
+ ],
static_libs: ["libgtest_main"],
shared_libs: [
"android.hardware.keymaster@3.0",
"libhidlbase",
"libhwbinder",
- "libkeymaster_messages",
"libutils",
],
export_shared_lib_headers: [
diff --git a/keystore/auth_token_table.cpp b/keystore/auth_token_table.cpp
index 46b644d..e54febe 100644
--- a/keystore/auth_token_table.cpp
+++ b/keystore/auth_token_table.cpp
@@ -77,12 +77,12 @@
return time.tv_sec;
}
-void AuthTokenTable::AddAuthenticationToken(const HardwareAuthToken* auth_token) {
- Entry new_entry(auth_token, clock_function_());
+void AuthTokenTable::AddAuthenticationToken(std::unique_ptr<const HardwareAuthToken>&& auth_token) {
+ Entry new_entry(std::move(auth_token), clock_function_());
//STOPSHIP: debug only, to be removed
ALOGD("AddAuthenticationToken: timestamp = %llu (%llu), time_received = %lld",
static_cast<unsigned long long>(new_entry.timestamp_host_order()),
- static_cast<unsigned long long>(auth_token->timestamp),
+ static_cast<unsigned long long>(new_entry.token().timestamp),
static_cast<long long>(new_entry.time_received()));
RemoveEntriesSupersededBy(new_entry);
@@ -137,13 +137,13 @@
if (op_handle == 0) return OP_HANDLE_REQUIRED;
auto matching_op = find_if(
- entries_, [&](Entry& e) { return e.token()->challenge == op_handle && !e.completed(); });
+ entries_, [&](Entry& e) { return e.token().challenge == op_handle && !e.completed(); });
if (matching_op == entries_.end()) return AUTH_TOKEN_NOT_FOUND;
if (!matching_op->SatisfiesAuth(sids, auth_type)) return AUTH_TOKEN_WRONG_SID;
- *found = matching_op->token();
+ *found = &matching_op->token();
return OK;
}
@@ -172,7 +172,7 @@
}
newest_match->UpdateLastUse(now);
- *found = newest_match->token();
+ *found = &newest_match->token();
return OK;
}
@@ -202,7 +202,7 @@
}
void AuthTokenTable::MarkCompleted(const uint64_t op_handle) {
- auto found = find_if(entries_, [&](Entry& e) { return e.token()->challenge == op_handle; });
+ auto found = find_if(entries_, [&](Entry& e) { return e.token().challenge == op_handle; });
if (found == entries_.end()) return;
assert(!IsSupersededBySomeEntry(*found));
@@ -211,8 +211,8 @@
if (IsSupersededBySomeEntry(*found)) entries_.erase(found);
}
-AuthTokenTable::Entry::Entry(const HardwareAuthToken* token, time_t current_time)
- : token_(token), time_received_(current_time), last_use_(current_time),
+AuthTokenTable::Entry::Entry(std::unique_ptr<const HardwareAuthToken>&& token, time_t current_time)
+ : token_(std::move(token)), time_received_(current_time), last_use_(current_time),
operation_completed_(token_->challenge == 0) {}
uint64_t AuthTokenTable::Entry::timestamp_host_order() const {
diff --git a/keystore/auth_token_table.h b/keystore/auth_token_table.h
index 0056b26..3e3ff6e 100644
--- a/keystore/auth_token_table.h
+++ b/keystore/auth_token_table.h
@@ -17,7 +17,6 @@
#include <memory>
#include <vector>
-#include <hardware/hw_auth_token.h>
#include <keystore/authorization_set.h>
#ifndef KEYSTORE_AUTH_TOKEN_TABLE_H_
@@ -61,7 +60,7 @@
/**
* Add an authorization token to the table. The table takes ownership of the argument.
*/
- void AddAuthenticationToken(const HardwareAuthToken* token);
+ void AddAuthenticationToken(std::unique_ptr<const HardwareAuthToken>&& auth_token);
/**
* Find an authorization token that authorizes the operation specified by \p operation_handle on
@@ -97,7 +96,7 @@
class Entry {
public:
- Entry(const HardwareAuthToken* token, time_t current_time);
+ Entry(std::unique_ptr<const HardwareAuthToken>&& token, time_t current_time);
Entry(Entry&& entry) { *this = std::move(entry); }
void operator=(Entry&& rhs) {
@@ -127,7 +126,7 @@
void mark_completed() { operation_completed_ = true; }
- const HardwareAuthToken* token() { return token_.get(); }
+ const HardwareAuthToken& token() { return *token_.get(); }
time_t time_received() const { return time_received_; }
bool completed() const { return operation_completed_; }
uint64_t timestamp_host_order() const;
diff --git a/keystore/include/keystore/keymaster_tags.h b/keystore/include/keystore/keymaster_tags.h
index 05a33cd..1b3e71b 100644
--- a/keystore/include/keystore/keymaster_tags.h
+++ b/keystore/include/keystore/keymaster_tags.h
@@ -60,7 +60,6 @@
*/
#include <android/hardware/keymaster/3.0/IHwKeymasterDevice.h>
-#include <hardware/hw_auth_token.h>
#include <type_traits>
namespace keystore {
diff --git a/keystore/include/keystore/keystore_hidl_support.h b/keystore/include/keystore/keystore_hidl_support.h
index 3c64d2a..2a4d1eb 100644
--- a/keystore/include/keystore/keystore_hidl_support.h
+++ b/keystore/include/keystore/keystore_hidl_support.h
@@ -19,6 +19,7 @@
#define KEYSTORE_KEYSTORE_HIDL_SUPPORT_H_
#include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
+#include <hardware/hw_auth_token.h>
#include <hidl/Status.h>
#include <keystore/keymaster_tags.h>
#include <ostream>
@@ -121,6 +122,38 @@
return result;
}
+template <typename T, typename InIter>
+inline static InIter copy_bytes_from_iterator(T* value, InIter src) {
+ uint8_t* value_ptr = reinterpret_cast<uint8_t*>(value);
+ std::copy(src, src + sizeof(value), value_ptr);
+ return src + sizeof(value);
+}
+
+inline static HardwareAuthToken hidlVec2AuthToken(const hidl_vec<uint8_t>& buffer) {
+ HardwareAuthToken token;
+ static_assert(
+ std::is_same<decltype(token.hmac), ::android::hardware::hidl_array<uint8_t, 32>>::value,
+ "This function assumes token HMAC is 32 bytes, but it might not be.");
+ static_assert(1 /* version size */ + sizeof(token.challenge) + sizeof(token.userId) +
+ sizeof(token.authenticatorId) + sizeof(token.authenticatorType) +
+ sizeof(token.timestamp) + 32 /* HMAC size */
+ == sizeof(hw_auth_token_t),
+ "HardwareAuthToken content size does not match hw_auth_token_t size");
+
+ if (buffer.size() != sizeof(hw_auth_token_t)) return {};
+
+ auto pos = buffer.begin();
+ ++pos; // skip first byte
+ pos = copy_bytes_from_iterator(&token.challenge, pos);
+ pos = copy_bytes_from_iterator(&token.userId, pos);
+ pos = copy_bytes_from_iterator(&token.authenticatorId, pos);
+ pos = copy_bytes_from_iterator(&token.authenticatorType, pos);
+ pos = copy_bytes_from_iterator(&token.timestamp, pos);
+ pos = std::copy(pos, pos + token.hmac.size(), &token.hmac[0]);
+
+ return token;
+}
+
inline std::string hidlVec2String(const hidl_vec<uint8_t>& value) {
return std::string(reinterpret_cast<const std::string::value_type*>(&value[0]), value.size());
}
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 59485dc..c2879c8 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -40,6 +40,8 @@
#include "keystore_utils.h"
#include <keystore/keystore_hidl_support.h>
+#include <hardware/hw_auth_token.h>
+
namespace keystore {
using namespace android;
@@ -1539,8 +1541,7 @@
"This function assumes token HMAC is 32 bytes, but it might not be.");
std::copy(authToken.hmac, authToken.hmac + sizeof(authToken.hmac), hidlAuthToken->hmac.data());
- // The table takes ownership of authToken.
- mAuthTokenTable.AddAuthenticationToken(hidlAuthToken.release());
+ mAuthTokenTable.AddAuthenticationToken(std::move(hidlAuthToken));
*aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
return Status::ok();
}
diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp
index 4cee57d..c27ec6b 100644
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@@ -29,6 +29,8 @@
#include <hardware/hw_auth_token.h>
#include <list>
+#include <keystore/keystore_hidl_support.h>
+
namespace keystore {
class AccessTimeMap {
@@ -482,12 +484,11 @@
sizeof(hw_auth_token_t), auth_token_blob.value().size());
return false;
}
-
- hw_auth_token_t auth_token;
- memcpy(&auth_token, &auth_token_blob.value()[0], sizeof(hw_auth_token_t));
- if (auth_token.version != HW_AUTH_TOKEN_VERSION) {
+ uint8_t auth_token_version = auth_token_blob.value()[0];
+ HardwareAuthToken auth_token = hidlVec2AuthToken(auth_token_blob.value());
+ if (auth_token_version != HW_AUTH_TOKEN_VERSION) {
ALOGE("Bug: Auth token is the version %hhu (or is not an auth token). Expected %d",
- auth_token.version, HW_AUTH_TOKEN_VERSION);
+ auth_token_version, HW_AUTH_TOKEN_VERSION);
return false;
}
@@ -502,9 +503,9 @@
return false;
}
- if (user_secure_id != auth_token.user_id && user_secure_id != auth_token.authenticator_id) {
+ if (user_secure_id != auth_token.userId && user_secure_id != auth_token.authenticatorId) {
ALOGI("Auth token SIDs %" PRIu64 " and %" PRIu64 " do not match key SID %" PRIu64,
- auth_token.user_id, auth_token.authenticator_id, user_secure_id);
+ auth_token.userId, auth_token.authenticatorId, user_secure_id);
return false;
}
@@ -513,11 +514,11 @@
return false;
}
- assert(auth_set[auth_type_index].tag == KM_TAG_USER_AUTH_TYPE);
+ assert(auth_set[auth_type_index].tag == TAG_USER_AUTH_TYPE);
auto key_auth_type_mask = authorizationValue(TAG_USER_AUTH_TYPE, auth_set[auth_type_index]);
if (!key_auth_type_mask.isOk()) return false;
- uint32_t token_auth_type = ntoh(auth_token.authenticator_type);
+ uint32_t token_auth_type = ntoh(auth_token.authenticatorType);
if ((uint32_t(key_auth_type_mask.value()) & token_auth_type) == 0) {
ALOGE("Key requires match of auth type mask 0%uo, but token contained 0%uo",
key_auth_type_mask.value(), token_auth_type);
@@ -525,7 +526,7 @@
}
if (auth_timeout_index != -1 && is_begin_operation) {
- assert(auth_set[auth_timeout_index].tag == KM_TAG_AUTH_TIMEOUT);
+ assert(auth_set[auth_timeout_index].tag == TAG_AUTH_TIMEOUT);
auto auth_token_timeout =
authorizationValue(TAG_AUTH_TIMEOUT, auth_set[auth_timeout_index]);
if (!auth_token_timeout.isOk()) return false;
diff --git a/keystore/keymaster_enforcement.h b/keystore/keymaster_enforcement.h
index 4f22f01..28d546a 100644
--- a/keystore/keymaster_enforcement.h
+++ b/keystore/keymaster_enforcement.h
@@ -121,7 +121,7 @@
/*
* Returns true if the specified auth_token is older than the specified timeout.
*/
- virtual bool auth_token_timed_out(const hw_auth_token_t& token, uint32_t timeout) const = 0;
+ virtual bool auth_token_timed_out(const HardwareAuthToken& token, uint32_t timeout) const = 0;
/*
* Get current time in seconds from some starting point. This value is used to compute relative
@@ -138,7 +138,7 @@
* Returns true if the specified auth_token has a valid signature, or if signature validation is
* not available.
*/
- virtual bool ValidateTokenSignature(const hw_auth_token_t& token) const = 0;
+ virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0;
private:
ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h
index 0389201..3cdf649 100644
--- a/keystore/keystore_keymaster_enforcement.h
+++ b/keystore/keystore_keymaster_enforcement.h
@@ -73,13 +73,13 @@
return now_date > expiration_date;
}
- bool auth_token_timed_out(const hw_auth_token_t&, uint32_t) const {
+ bool auth_token_timed_out(const HardwareAuthToken&, uint32_t) const {
// Assume the token has not timed out, because AuthTokenTable would not have returned it if
// the timeout were past. Secure hardware will also check timeouts if it supports them.
return false;
}
- bool ValidateTokenSignature(const hw_auth_token_t&) const override {
+ bool ValidateTokenSignature(const HardwareAuthToken&) const override {
// Non-secure world cannot validate token signatures because it doesn't have access to the
// signing key. Assume the token is good.
return true;
diff --git a/keystore/tests/Android.bp b/keystore/tests/Android.bp
index cc89681..5718b73 100644
--- a/keystore/tests/Android.bp
+++ b/keystore/tests/Android.bp
@@ -1,6 +1,5 @@
// Unit test for AuthTokenTable
-// TODO: enable after fixing b/68149839
-/*
+
cc_test {
cflags: [
"-Wall",
@@ -17,4 +16,3 @@
],
shared_libs: ["libkeymaster_messages"],
}
-*/
diff --git a/keystore/tests/auth_token_table_test.cpp b/keystore/tests/auth_token_table_test.cpp
index 1b31cf5..5206ba2 100644
--- a/keystore/tests/auth_token_table_test.cpp
+++ b/keystore/tests/auth_token_table_test.cpp
@@ -16,21 +16,17 @@
#include <gtest/gtest.h>
-#include <keymaster/android_keymaster_utils.h>
+#include <endian.h>
#include <keymaster/logger.h>
#include "../auth_token_table.h"
using std::vector;
-inline bool operator==(const hw_auth_token_t& a, const hw_auth_token_t& b) {
- return (memcmp(&a, &b, sizeof(a)) == 0);
-}
-
-namespace keymaster {
+namespace keystore {
namespace test {
-class StdoutLogger : public Logger {
+class StdoutLogger : public keymaster::Logger {
public:
StdoutLogger() { set_instance(this); }
@@ -66,26 +62,27 @@
AuthTokenTable table;
}
-static hw_auth_token_t* make_token(uint64_t rsid, uint64_t ssid = 0, uint64_t challenge = 0,
- uint64_t timestamp = 0) {
- hw_auth_token_t* token = new hw_auth_token_t;
- token->user_id = rsid;
- token->authenticator_id = ssid;
- token->authenticator_type = hton(static_cast<uint32_t>(HW_AUTH_PASSWORD));
+static std::unique_ptr<const HardwareAuthToken> make_token(uint64_t rsid, uint64_t ssid = 0,
+ uint64_t challenge = 0,
+ uint64_t timestamp = 0) {
+ std::unique_ptr<HardwareAuthToken> token(new HardwareAuthToken);
+ token->userId = rsid;
+ token->authenticatorId = ssid;
+ token->authenticatorType = htonl(static_cast<uint32_t>(HardwareAuthenticatorType::PASSWORD));
token->challenge = challenge;
- token->timestamp = hton(timestamp);
+ token->timestamp = htonq(timestamp);
return token;
}
static AuthorizationSet make_set(uint64_t rsid, uint32_t timeout = 10000) {
AuthorizationSetBuilder builder;
builder.Authorization(TAG_USER_ID, 10)
- .Authorization(TAG_USER_AUTH_TYPE, HW_AUTH_PASSWORD)
+ .Authorization(TAG_USER_AUTH_TYPE, HardwareAuthenticatorType::PASSWORD)
.Authorization(TAG_USER_SECURE_ID, rsid);
// Use timeout == 0 to indicate tags that require auth per operation.
if (timeout != 0)
builder.Authorization(TAG_AUTH_TIMEOUT, timeout);
- return builder.build();
+ return builder;
}
// Tests obviously run so fast that a real-time clock with a one-second granularity rarely changes
@@ -102,26 +99,26 @@
table.AddAuthenticationToken(make_token(3, 4));
EXPECT_EQ(2U, table.size());
- const hw_auth_token_t* found;
+ const HardwareAuthToken* found;
- ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(1U, found->user_id);
- EXPECT_EQ(2U, found->authenticator_id);
+ ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(1U, found->userId);
+ EXPECT_EQ(2U, found->authenticatorId);
- ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(1U, found->user_id);
- EXPECT_EQ(2U, found->authenticator_id);
+ ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(1U, found->userId);
+ EXPECT_EQ(2U, found->authenticatorId);
- ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(3U, found->user_id);
- EXPECT_EQ(4U, found->authenticator_id);
+ ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(3U, found->userId);
+ EXPECT_EQ(4U, found->authenticatorId);
- ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(4), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(3U, found->user_id);
- EXPECT_EQ(4U, found->authenticator_id);
+ ASSERT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(4), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(3U, found->userId);
+ EXPECT_EQ(4U, found->authenticatorId);
ASSERT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(5), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(5), KeyPurpose::SIGN, 0, &found));
}
TEST(AuthTokenTableTest, FlushTable) {
@@ -131,13 +128,13 @@
table.AddAuthenticationToken(make_token(2));
table.AddAuthenticationToken(make_token(3));
- const hw_auth_token_t* found;
+ const HardwareAuthToken* found;
// All three should be in the table.
EXPECT_EQ(3U, table.size());
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
table.Clear();
EXPECT_EQ(0U, table.size());
@@ -150,36 +147,36 @@
table.AddAuthenticationToken(make_token(2));
table.AddAuthenticationToken(make_token(3));
- const hw_auth_token_t* found;
+ const HardwareAuthToken* found;
// All three should be in the table.
EXPECT_EQ(3U, table.size());
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
table.AddAuthenticationToken(make_token(4));
// Oldest should be gone.
EXPECT_EQ(3U, table.size());
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
// Others should be there, including the new one (4). Search for it first, then the others, so
// 4 becomes the least recently used.
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(4), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(4), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
table.AddAuthenticationToken(make_token(5));
// 5 should have replaced 4.
EXPECT_EQ(3U, table.size());
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(4), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(5), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(4), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(5), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
table.AddAuthenticationToken(make_token(6));
table.AddAuthenticationToken(make_token(7));
@@ -187,12 +184,12 @@
// 2 and 5 should be gone
EXPECT_EQ(3U, table.size());
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(5), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(6), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(7), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(5), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(6), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(7), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
table.AddAuthenticationToken(make_token(8));
table.AddAuthenticationToken(make_token(9));
@@ -201,75 +198,75 @@
// Only the three most recent should be there.
EXPECT_EQ(3U, table.size());
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(3), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(3), KeyPurpose::SIGN, 0, &found));
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(4), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(4), KeyPurpose::SIGN, 0, &found));
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(5), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(5), KeyPurpose::SIGN, 0, &found));
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(6), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(6), KeyPurpose::SIGN, 0, &found));
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(7), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(8), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(9), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(7), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(8), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(9), KeyPurpose::SIGN, 0, &found));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(10), KM_PURPOSE_SIGN, 0, &found));
+ table.FindAuthorization(make_set(10), KeyPurpose::SIGN, 0, &found));
}
TEST(AuthTokenTableTest, AuthenticationNotRequired) {
AuthTokenTable table;
- const hw_auth_token_t* found;
+ const HardwareAuthToken* found;
EXPECT_EQ(AuthTokenTable::AUTH_NOT_REQUIRED,
table.FindAuthorization(
- AuthorizationSetBuilder().Authorization(TAG_NO_AUTH_REQUIRED).build(),
- KM_PURPOSE_SIGN, 0 /* no challenge */, &found));
+ AuthorizationSetBuilder().Authorization(TAG_NO_AUTH_REQUIRED),
+ KeyPurpose::SIGN, 0 /* no challenge */, &found));
}
TEST(AuthTokenTableTest, OperationHandleNotFound) {
AuthTokenTable table;
- const hw_auth_token_t* found;
+ const HardwareAuthToken* found;
table.AddAuthenticationToken(make_token(1, 0, 1, 5));
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
2 /* non-matching challenge */, &found));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
1 /* matching challenge */, &found));
table.MarkCompleted(1);
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
1 /* used challenge */, &found));
}
TEST(AuthTokenTableTest, OperationHandleRequired) {
AuthTokenTable table;
- const hw_auth_token_t* found;
+ const HardwareAuthToken* found;
table.AddAuthenticationToken(make_token(1));
EXPECT_EQ(AuthTokenTable::OP_HANDLE_REQUIRED,
- table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
0 /* no op handle */, &found));
}
TEST(AuthTokenTableTest, AuthSidChanged) {
AuthTokenTable table;
- const hw_auth_token_t* found;
+ const HardwareAuthToken* found;
table.AddAuthenticationToken(make_token(1, 3, /* op handle */ 1));
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_WRONG_SID,
- table.FindAuthorization(make_set(2, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(2, 0 /* no timeout */), KeyPurpose::SIGN,
1 /* op handle */, &found));
}
TEST(AuthTokenTableTest, TokenExpired) {
AuthTokenTable table(5, monotonic_clock);
- const hw_auth_token_t* found;
+ const HardwareAuthToken* found;
auto key_info = make_set(1, 5 /* five second timeout */);
@@ -281,17 +278,17 @@
// keymaster when the found token is passed to it.
table.AddAuthenticationToken(make_token(1, 0));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+ table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+ table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+ table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+ table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+ table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_EXPIRED,
- table.FindAuthorization(key_info, KM_PURPOSE_SIGN, 0 /* no op handle */, &found));
+ table.FindAuthorization(key_info, KeyPurpose::SIGN, 0 /* no op handle */, &found));
}
TEST(AuthTokenTableTest, MarkNonexistentEntryCompleted) {
@@ -302,15 +299,15 @@
TEST(AuthTokenTableTest, SupersededEntries) {
AuthTokenTable table;
- const hw_auth_token_t* found;
+ const HardwareAuthToken* found;
// Add two identical tokens, without challenges. The second should supersede the first, based
// on timestamp (fourth arg to make_token).
table.AddAuthenticationToken(make_token(1, 0, 0, 0));
table.AddAuthenticationToken(make_token(1, 0, 0, 1));
EXPECT_EQ(1U, table.size());
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(1U, ntoh(found->timestamp));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(1U, ntohq(found->timestamp));
// Add a third token, this with a different RSID. It should not be superseded.
table.AddAuthenticationToken(make_token(2, 0, 0, 2));
@@ -320,10 +317,10 @@
table.AddAuthenticationToken(make_token(1, 0, 0, 3));
table.AddAuthenticationToken(make_token(2, 0, 0, 4));
EXPECT_EQ(2U, table.size());
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(3U, ntoh(found->timestamp));
- EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0, &found));
- EXPECT_EQ(4U, ntoh(found->timestamp));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(3U, ntohq(found->timestamp));
+ EXPECT_EQ(AuthTokenTable::OK, table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0, &found));
+ EXPECT_EQ(4U, ntohq(found->timestamp));
// Add another, this one with a challenge value. It should supersede the old one since it is
// newer, and matches other than the challenge.
@@ -338,13 +335,13 @@
// Should be able to find each of them, by specifying their challenge, with a key that is not
// timed (timed keys don't care about challenges).
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1, 0 /* no timeout*/), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout*/), KeyPurpose::SIGN,
1 /* challenge */, &found));
- EXPECT_EQ(5U, ntoh(found->timestamp));
+ EXPECT_EQ(5U, ntohq(found->timestamp));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
2 /* challenge */, &found));
- EXPECT_EQ(6U, ntoh(found->timestamp));
+ EXPECT_EQ(6U, ntohq(found->timestamp));
// Add another, without a challenge, and the same timestamp as the last one. This new one
// actually could be considered already-superseded, but the table doesn't handle that case,
@@ -352,31 +349,31 @@
table.AddAuthenticationToken(make_token(1, 0, 0, 6));
EXPECT_EQ(4U, table.size());
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
- EXPECT_EQ(6U, ntoh(found->timestamp));
+ table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0 /* challenge */, &found));
+ EXPECT_EQ(6U, ntohq(found->timestamp));
// Add another without a challenge but an increased timestamp. This should supersede the
// previous challenge-free entry.
table.AddAuthenticationToken(make_token(1, 0, 0, 7));
EXPECT_EQ(4U, table.size());
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
2 /* challenge */, &found));
- EXPECT_EQ(6U, ntoh(found->timestamp));
+ EXPECT_EQ(6U, ntohq(found->timestamp));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
- EXPECT_EQ(7U, ntoh(found->timestamp));
+ table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0 /* challenge */, &found));
+ EXPECT_EQ(7U, ntohq(found->timestamp));
// Mark the entry with challenge 2 as complete. Since there's a newer challenge-free entry, the
// challenge entry will be superseded.
table.MarkCompleted(2);
EXPECT_EQ(3U, table.size());
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
2 /* challenge */, &found));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
- EXPECT_EQ(7U, ntoh(found->timestamp));
+ table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0 /* challenge */, &found));
+ EXPECT_EQ(7U, ntohq(found->timestamp));
// Add another SID 1 entry with a challenge. It supersedes the previous SID 1 entry with
// no challenge (timestamp 7), but not the one with challenge 1 (timestamp 5).
@@ -384,19 +381,19 @@
EXPECT_EQ(3U, table.size());
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
1 /* challenge */, &found));
- EXPECT_EQ(5U, ntoh(found->timestamp));
+ EXPECT_EQ(5U, ntohq(found->timestamp));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
3 /* challenge */, &found));
- EXPECT_EQ(8U, ntoh(found->timestamp));
+ EXPECT_EQ(8U, ntohq(found->timestamp));
// SID 2 entry is still there.
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(2), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
- EXPECT_EQ(4U, ntoh(found->timestamp));
+ table.FindAuthorization(make_set(2), KeyPurpose::SIGN, 0 /* challenge */, &found));
+ EXPECT_EQ(4U, ntohq(found->timestamp));
// Mark the entry with challenge 3 as complete. Since the older challenge 1 entry is
// incomplete, nothing is superseded.
@@ -404,24 +401,24 @@
EXPECT_EQ(3U, table.size());
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
1 /* challenge */, &found));
- EXPECT_EQ(5U, ntoh(found->timestamp));
+ EXPECT_EQ(5U, ntohq(found->timestamp));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
- EXPECT_EQ(8U, ntoh(found->timestamp));
+ table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0 /* challenge */, &found));
+ EXPECT_EQ(8U, ntohq(found->timestamp));
// Mark the entry with challenge 1 as complete. Since there's a newer one (with challenge 3,
// completed), the challenge 1 entry is superseded and removed.
table.MarkCompleted(1);
EXPECT_EQ(2U, table.size());
EXPECT_EQ(AuthTokenTable::AUTH_TOKEN_NOT_FOUND,
- table.FindAuthorization(make_set(1, 0 /* no timeout */), KM_PURPOSE_SIGN,
+ table.FindAuthorization(make_set(1, 0 /* no timeout */), KeyPurpose::SIGN,
1 /* challenge */, &found));
EXPECT_EQ(AuthTokenTable::OK,
- table.FindAuthorization(make_set(1), KM_PURPOSE_SIGN, 0 /* challenge */, &found));
- EXPECT_EQ(8U, ntoh(found->timestamp));
+ table.FindAuthorization(make_set(1), KeyPurpose::SIGN, 0 /* challenge */, &found));
+ EXPECT_EQ(8U, ntohq(found->timestamp));
}
} // namespace keymaster