diff options
Diffstat (limited to 'identity/aidl/vts/TestCredentialTests.cpp')
| -rw-r--r-- | identity/aidl/vts/TestCredentialTests.cpp | 204 |
1 files changed, 204 insertions, 0 deletions
diff --git a/identity/aidl/vts/TestCredentialTests.cpp b/identity/aidl/vts/TestCredentialTests.cpp new file mode 100644 index 0000000000..d53de3b073 --- /dev/null +++ b/identity/aidl/vts/TestCredentialTests.cpp @@ -0,0 +1,204 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#define LOG_TAG "TestCredentialTests" + +#include <aidl/Gtest.h> +#include <aidl/Vintf.h> +#include <aidl/android/hardware/keymaster/HardwareAuthToken.h> +#include <aidl/android/hardware/keymaster/VerificationToken.h> +#include <android-base/logging.h> +#include <android/hardware/identity/IIdentityCredentialStore.h> +#include <android/hardware/identity/support/IdentityCredentialSupport.h> +#include <binder/IServiceManager.h> +#include <binder/ProcessState.h> +#include <cppbor.h> +#include <cppbor_parse.h> +#include <gtest/gtest.h> +#include <future> +#include <map> +#include <utility> + +#include "Util.h" + +namespace android::hardware::identity { + +using std::endl; +using std::make_pair; +using std::map; +using std::optional; +using std::pair; +using std::string; +using std::tie; +using std::vector; + +using ::android::sp; +using ::android::String16; +using ::android::binder::Status; + +using ::android::hardware::keymaster::HardwareAuthToken; +using ::android::hardware::keymaster::VerificationToken; + +class TestCredentialTests : public testing::TestWithParam<string> { + public: + virtual void SetUp() override { + string halInstanceName = GetParam(); + credentialStore_ = android::waitForDeclaredService<IIdentityCredentialStore>( + String16(halInstanceName.c_str())); + ASSERT_NE(credentialStore_, nullptr); + halApiVersion_ = credentialStore_->getInterfaceVersion(); + } + + sp<IIdentityCredentialStore> credentialStore_; + int halApiVersion_; +}; + +TEST_P(TestCredentialTests, testCredential) { + string docType = "org.iso.18013-5.2019.mdl"; + sp<IWritableIdentityCredential> wc; + ASSERT_TRUE(credentialStore_ + ->createCredential(docType, + true, // testCredential + &wc) + .isOk()); + + vector<uint8_t> attestationApplicationId = {}; + vector<uint8_t> attestationChallenge = {1}; + vector<Certificate> certChain; + ASSERT_TRUE(wc->getAttestationCertificate(attestationApplicationId, attestationChallenge, + &certChain) + .isOk()); + + optional<vector<uint8_t>> optCredentialPubKey = + support::certificateChainGetTopMostKey(certChain[0].encodedCertificate); + ASSERT_TRUE(optCredentialPubKey); + vector<uint8_t> credentialPubKey; + credentialPubKey = optCredentialPubKey.value(); + + size_t proofOfProvisioningSize = 112; + // Not in v1 HAL, may fail + wc->setExpectedProofOfProvisioningSize(proofOfProvisioningSize); + + ASSERT_TRUE(wc->startPersonalization(1 /* numAccessControlProfiles */, + {1} /* numDataElementsPerNamespace */) + .isOk()); + + // Access control profile 0: open access - don't care about the returned SACP + SecureAccessControlProfile sacp; + ASSERT_TRUE(wc->addAccessControlProfile(1, {}, false, 0, 0, &sacp).isOk()); + + // Single entry - don't care about the returned encrypted data + vector<uint8_t> encryptedData; + vector<uint8_t> tstrLastName = cppbor::Tstr("Turing").encode(); + ASSERT_TRUE(wc->beginAddEntry({1}, "ns", "Last name", tstrLastName.size()).isOk()); + ASSERT_TRUE(wc->addEntryValue(tstrLastName, &encryptedData).isOk()); + + vector<uint8_t> proofOfProvisioningSignature; + vector<uint8_t> credentialData; + Status status = wc->finishAddingEntries(&credentialData, &proofOfProvisioningSignature); + EXPECT_TRUE(status.isOk()) << status.exceptionCode() << ": " << status.exceptionMessage(); + + optional<vector<uint8_t>> proofOfProvisioning = + support::coseSignGetPayload(proofOfProvisioningSignature); + ASSERT_TRUE(proofOfProvisioning); + string cborPretty = support::cborPrettyPrint(proofOfProvisioning.value(), 32, {}); + EXPECT_EQ( + "[\n" + " 'ProofOfProvisioning',\n" + " 'org.iso.18013-5.2019.mdl',\n" + " [\n" + " {\n" + " 'id' : 1,\n" + " },\n" + " ],\n" + " {\n" + " 'ns' : [\n" + " {\n" + " 'name' : 'Last name',\n" + " 'value' : 'Turing',\n" + " 'accessControlProfiles' : [1, ],\n" + " },\n" + " ],\n" + " },\n" + " true,\n" + "]", + cborPretty); + // Make sure it's signed by the CredentialKey in the returned cert chain. + EXPECT_TRUE(support::coseCheckEcDsaSignature(proofOfProvisioningSignature, + {}, // Additional data + credentialPubKey)); + + // Now analyze credentialData.. + auto [item, _, message] = cppbor::parse(credentialData); + ASSERT_NE(item, nullptr); + const cppbor::Array* arrayItem = item->asArray(); + ASSERT_NE(arrayItem, nullptr); + ASSERT_EQ(arrayItem->size(), 3); + const cppbor::Tstr* docTypeItem = (*arrayItem)[0]->asTstr(); + const cppbor::Bool* testCredentialItem = + ((*arrayItem)[1]->asSimple() != nullptr ? ((*arrayItem)[1]->asSimple()->asBool()) + : nullptr); + EXPECT_EQ(docTypeItem->value(), docType); + EXPECT_EQ(testCredentialItem->value(), true); + + vector<uint8_t> hardwareBoundKey = support::getTestHardwareBoundKey(); + const cppbor::Bstr* encryptedCredentialKeysItem = (*arrayItem)[2]->asBstr(); + const vector<uint8_t>& encryptedCredentialKeys = encryptedCredentialKeysItem->value(); + const vector<uint8_t> docTypeVec(docType.begin(), docType.end()); + optional<vector<uint8_t>> decryptedCredentialKeys = + support::decryptAes128Gcm(hardwareBoundKey, encryptedCredentialKeys, docTypeVec); + ASSERT_TRUE(decryptedCredentialKeys); + auto [dckItem, dckPos, dckMessage] = cppbor::parse(decryptedCredentialKeys.value()); + ASSERT_NE(dckItem, nullptr) << dckMessage; + const cppbor::Array* dckArrayItem = dckItem->asArray(); + ASSERT_NE(dckArrayItem, nullptr); + // In HAL API version 1 and 2 this array has two items, in version 3 and later it has three. + if (halApiVersion_ < 3) { + ASSERT_EQ(dckArrayItem->size(), 2); + } else { + ASSERT_EQ(dckArrayItem->size(), 3); + } + const cppbor::Bstr* storageKeyItem = (*dckArrayItem)[0]->asBstr(); + const vector<uint8_t> storageKey = storageKeyItem->value(); + // const cppbor::Bstr* credentialPrivKeyItem = (*dckArrayItem)[1]->asBstr(); + // const vector<uint8_t> credentialPrivKey = credentialPrivKeyItem->value(); + + // Check storageKey can be used to decrypt |encryptedData| to |tstrLastName| + vector<uint8_t> additionalData = cppbor::Map() + .add("Namespace", "ns") + .add("Name", "Last name") + .add("AccessControlProfileIds", cppbor::Array().add(1)) + .encode(); + optional<vector<uint8_t>> decryptedDataItemValue = + support::decryptAes128Gcm(storageKey, encryptedData, additionalData); + ASSERT_TRUE(decryptedDataItemValue); + EXPECT_EQ(decryptedDataItemValue.value(), tstrLastName); + + // Check that SHA-256(ProofOfProvisioning) matches (only in HAL API version 3) + if (halApiVersion_ >= 3) { + const cppbor::Bstr* popSha256Item = (*dckArrayItem)[2]->asBstr(); + const vector<uint8_t> popSha256 = popSha256Item->value(); + ASSERT_EQ(popSha256, support::sha256(proofOfProvisioning.value())); + } +} + +GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(TestCredentialTests); +INSTANTIATE_TEST_SUITE_P( + Identity, TestCredentialTests, + testing::ValuesIn(android::getAidlHalInstanceNames(IIdentityCredentialStore::descriptor)), + android::PrintInstanceNameToString); + +} // namespace android::hardware::identity |