diff options
| author | David Zeuthen <zeuthen@google.com> | 2020-10-16 11:27:24 -0400 |
|---|---|---|
| committer | David Zeuthen <zeuthen@google.com> | 2021-01-23 13:35:57 -0500 |
| commit | 49f2d2558ac417d090dfae9c78ab372d71e5140c (patch) | |
| tree | be240ccdfb0fa1e45aa03648cb385ff7ce82d84f /identity/aidl/vts/AuthenticationKeyTests.cpp | |
| parent | eafa06164d1e1bafbe20562d540ab5420bb0f825 (diff) | |
Identity Credential changes for Android 12
- Add IIdentityCredential.deleteCredentialWithChallenge()
- Deprecate IIdentityCredential.deleteCredential()
- Add IIdentityCredential.proveOwership()
- Add IIdentityCredential.updateCredential()
- Add ProofOfBinding CBOR to AuthenticationKey X.509 certificate
- Document which API versions new methods/features appeared in.
- Mention need to declare android.hardware.identity_credential system
feature (w/ feature version number) and do this for the default
implementation.
Bug: 170146643
Test: atest VtsHalIdentityTargetTest
Change-Id: Ib47c7caa5f3d6fff6919f019eee44a735dba9cf8
Diffstat (limited to 'identity/aidl/vts/AuthenticationKeyTests.cpp')
| -rw-r--r-- | identity/aidl/vts/AuthenticationKeyTests.cpp | 194 |
1 files changed, 194 insertions, 0 deletions
diff --git a/identity/aidl/vts/AuthenticationKeyTests.cpp b/identity/aidl/vts/AuthenticationKeyTests.cpp new file mode 100644 index 0000000000..bda3e70413 --- /dev/null +++ b/identity/aidl/vts/AuthenticationKeyTests.cpp @@ -0,0 +1,194 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#define LOG_TAG "TestCredentialTests" + +#include <aidl/Gtest.h> +#include <aidl/Vintf.h> +#include <aidl/android/hardware/keymaster/HardwareAuthToken.h> +#include <aidl/android/hardware/keymaster/VerificationToken.h> +#include <android-base/logging.h> +#include <android/hardware/identity/IIdentityCredentialStore.h> +#include <android/hardware/identity/support/IdentityCredentialSupport.h> +#include <binder/IServiceManager.h> +#include <binder/ProcessState.h> +#include <cppbor.h> +#include <cppbor_parse.h> +#include <gtest/gtest.h> +#include <future> +#include <map> +#include <utility> + +#include "Util.h" + +namespace android::hardware::identity { + +using std::endl; +using std::make_pair; +using std::map; +using std::optional; +using std::pair; +using std::string; +using std::tie; +using std::vector; + +using ::android::sp; +using ::android::String16; +using ::android::binder::Status; + +using ::android::hardware::keymaster::HardwareAuthToken; +using ::android::hardware::keymaster::VerificationToken; + +class AuthenticationKeyTests : public testing::TestWithParam<string> { + public: + virtual void SetUp() override { + string halInstanceName = GetParam(); + credentialStore_ = android::waitForDeclaredService<IIdentityCredentialStore>( + String16(halInstanceName.c_str())); + ASSERT_NE(credentialStore_, nullptr); + halApiVersion_ = credentialStore_->getInterfaceVersion(); + } + + sp<IIdentityCredentialStore> credentialStore_; + int halApiVersion_; +}; + +TEST_P(AuthenticationKeyTests, proofOfProvisionInAuthKeyCert) { + if (halApiVersion_ < 3) { + GTEST_SKIP() << "Need HAL API version 3, have " << halApiVersion_; + } + + string docType = "org.iso.18013-5.2019.mdl"; + sp<IWritableIdentityCredential> wc; + ASSERT_TRUE(credentialStore_ + ->createCredential(docType, + true, // testCredential + &wc) + .isOk()); + + vector<uint8_t> attestationApplicationId = {}; + vector<uint8_t> attestationChallenge = {1}; + vector<Certificate> certChain; + ASSERT_TRUE(wc->getAttestationCertificate(attestationApplicationId, attestationChallenge, + &certChain) + .isOk()); + + optional<vector<uint8_t>> optCredentialPubKey = + support::certificateChainGetTopMostKey(certChain[0].encodedCertificate); + ASSERT_TRUE(optCredentialPubKey); + vector<uint8_t> credentialPubKey; + credentialPubKey = optCredentialPubKey.value(); + + size_t proofOfProvisioningSize = 112; + // Not in v1 HAL, may fail + wc->setExpectedProofOfProvisioningSize(proofOfProvisioningSize); + + ASSERT_TRUE(wc->startPersonalization(1 /* numAccessControlProfiles */, + {1} /* numDataElementsPerNamespace */) + .isOk()); + + // Access control profile 0: open access - don't care about the returned SACP + SecureAccessControlProfile sacp; + ASSERT_TRUE(wc->addAccessControlProfile(1, {}, false, 0, 0, &sacp).isOk()); + + // Single entry - don't care about the returned encrypted data + vector<uint8_t> encryptedData; + vector<uint8_t> tstrLastName = cppbor::Tstr("Turing").encode(); + ASSERT_TRUE(wc->beginAddEntry({1}, "ns", "Last name", tstrLastName.size()).isOk()); + ASSERT_TRUE(wc->addEntryValue(tstrLastName, &encryptedData).isOk()); + + vector<uint8_t> proofOfProvisioningSignature; + vector<uint8_t> credentialData; + Status status = wc->finishAddingEntries(&credentialData, &proofOfProvisioningSignature); + EXPECT_TRUE(status.isOk()) << status.exceptionCode() << ": " << status.exceptionMessage(); + + optional<vector<uint8_t>> proofOfProvisioning = + support::coseSignGetPayload(proofOfProvisioningSignature); + ASSERT_TRUE(proofOfProvisioning); + string cborPretty = support::cborPrettyPrint(proofOfProvisioning.value(), 32, {}); + EXPECT_EQ( + "[\n" + " 'ProofOfProvisioning',\n" + " 'org.iso.18013-5.2019.mdl',\n" + " [\n" + " {\n" + " 'id' : 1,\n" + " },\n" + " ],\n" + " {\n" + " 'ns' : [\n" + " {\n" + " 'name' : 'Last name',\n" + " 'value' : 'Turing',\n" + " 'accessControlProfiles' : [1, ],\n" + " },\n" + " ],\n" + " },\n" + " true,\n" + "]", + cborPretty); + // Make sure it's signed by the CredentialKey in the returned cert chain. + EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfProvisioningSignature, + {}, // Additional data + credentialPubKey)); + + // Now get a credential and have it create AuthenticationKey so we can check + // the certificate. + sp<IIdentityCredential> credential; + ASSERT_TRUE(credentialStore_ + ->getCredential( + CipherSuite::CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256, + credentialData, &credential) + .isOk()); + vector<uint8_t> signingKeyBlob; + Certificate signingKeyCertificate; + ASSERT_TRUE(credential->generateSigningKeyPair(&signingKeyBlob, &signingKeyCertificate).isOk()); + optional<vector<uint8_t>> signingPubKey = + support::certificateChainGetTopMostKey(signingKeyCertificate.encodedCertificate); + EXPECT_TRUE(signingPubKey); + + // SHA-256(ProofOfProvisioning) is embedded in CBOR with the following CDDL + // + // ProofOfBinding = [ + // "ProofOfBinding", + // bstr, // Contains the SHA-256 of ProofOfProvisioning + // ] + // + // Check that. + // + optional<vector<uint8_t>> proofOfBinding = support::certificateGetExtension( + signingKeyCertificate.encodedCertificate, "1.3.6.1.4.1.11129.2.1.26"); + ASSERT_TRUE(proofOfBinding); + auto [item, _, message] = cppbor::parse(proofOfBinding.value()); + ASSERT_NE(item, nullptr) << message; + const cppbor::Array* arrayItem = item->asArray(); + ASSERT_NE(arrayItem, nullptr); + ASSERT_EQ(arrayItem->size(), 2); + const cppbor::Tstr* strItem = (*arrayItem)[0]->asTstr(); + ASSERT_NE(strItem, nullptr); + EXPECT_EQ(strItem->value(), "ProofOfBinding"); + const cppbor::Bstr* popSha256Item = (*arrayItem)[1]->asBstr(); + ASSERT_NE(popSha256Item, nullptr); + EXPECT_EQ(popSha256Item->value(), support::sha256(proofOfProvisioning.value())); +} + +GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(AuthenticationKeyTests); +INSTANTIATE_TEST_SUITE_P( + Identity, AuthenticationKeyTests, + testing::ValuesIn(android::getAidlHalInstanceNames(IIdentityCredentialStore::descriptor)), + android::PrintInstanceNameToString); + +} // namespace android::hardware::identity |