1*4d7e907cSAndroid Build Coastguard Worker /*
2*4d7e907cSAndroid Build Coastguard Worker * Copyright (C) 2020 The Android Open Source Project
3*4d7e907cSAndroid Build Coastguard Worker *
4*4d7e907cSAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License");
5*4d7e907cSAndroid Build Coastguard Worker * you may not use this file except in compliance with the License.
6*4d7e907cSAndroid Build Coastguard Worker * You may obtain a copy of the License at
7*4d7e907cSAndroid Build Coastguard Worker *
8*4d7e907cSAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0
9*4d7e907cSAndroid Build Coastguard Worker *
10*4d7e907cSAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software
11*4d7e907cSAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS,
12*4d7e907cSAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*4d7e907cSAndroid Build Coastguard Worker * See the License for the specific language governing permissions and
14*4d7e907cSAndroid Build Coastguard Worker * limitations under the License.
15*4d7e907cSAndroid Build Coastguard Worker */
16*4d7e907cSAndroid Build Coastguard Worker
17*4d7e907cSAndroid Build Coastguard Worker #define LOG_TAG "PresentationSessionTests"
18*4d7e907cSAndroid Build Coastguard Worker
19*4d7e907cSAndroid Build Coastguard Worker #include <aidl/Gtest.h>
20*4d7e907cSAndroid Build Coastguard Worker #include <aidl/Vintf.h>
21*4d7e907cSAndroid Build Coastguard Worker #include <aidl/android/hardware/keymaster/HardwareAuthToken.h>
22*4d7e907cSAndroid Build Coastguard Worker #include <aidl/android/hardware/keymaster/VerificationToken.h>
23*4d7e907cSAndroid Build Coastguard Worker #include <android-base/logging.h>
24*4d7e907cSAndroid Build Coastguard Worker #include <android/hardware/identity/IIdentityCredentialStore.h>
25*4d7e907cSAndroid Build Coastguard Worker #include <android/hardware/identity/support/IdentityCredentialSupport.h>
26*4d7e907cSAndroid Build Coastguard Worker #include <binder/IServiceManager.h>
27*4d7e907cSAndroid Build Coastguard Worker #include <binder/ProcessState.h>
28*4d7e907cSAndroid Build Coastguard Worker #include <cppbor.h>
29*4d7e907cSAndroid Build Coastguard Worker #include <cppbor_parse.h>
30*4d7e907cSAndroid Build Coastguard Worker #include <gtest/gtest.h>
31*4d7e907cSAndroid Build Coastguard Worker #include <future>
32*4d7e907cSAndroid Build Coastguard Worker #include <map>
33*4d7e907cSAndroid Build Coastguard Worker #include <utility>
34*4d7e907cSAndroid Build Coastguard Worker
35*4d7e907cSAndroid Build Coastguard Worker #include "Util.h"
36*4d7e907cSAndroid Build Coastguard Worker
37*4d7e907cSAndroid Build Coastguard Worker namespace android::hardware::identity {
38*4d7e907cSAndroid Build Coastguard Worker
39*4d7e907cSAndroid Build Coastguard Worker using std::endl;
40*4d7e907cSAndroid Build Coastguard Worker using std::make_pair;
41*4d7e907cSAndroid Build Coastguard Worker using std::map;
42*4d7e907cSAndroid Build Coastguard Worker using std::optional;
43*4d7e907cSAndroid Build Coastguard Worker using std::pair;
44*4d7e907cSAndroid Build Coastguard Worker using std::string;
45*4d7e907cSAndroid Build Coastguard Worker using std::tie;
46*4d7e907cSAndroid Build Coastguard Worker using std::vector;
47*4d7e907cSAndroid Build Coastguard Worker
48*4d7e907cSAndroid Build Coastguard Worker using ::android::sp;
49*4d7e907cSAndroid Build Coastguard Worker using ::android::String16;
50*4d7e907cSAndroid Build Coastguard Worker using ::android::binder::Status;
51*4d7e907cSAndroid Build Coastguard Worker
52*4d7e907cSAndroid Build Coastguard Worker using ::android::hardware::keymaster::HardwareAuthToken;
53*4d7e907cSAndroid Build Coastguard Worker using ::android::hardware::keymaster::VerificationToken;
54*4d7e907cSAndroid Build Coastguard Worker
55*4d7e907cSAndroid Build Coastguard Worker class PresentationSessionTests : public testing::TestWithParam<string> {
56*4d7e907cSAndroid Build Coastguard Worker public:
SetUp()57*4d7e907cSAndroid Build Coastguard Worker virtual void SetUp() override {
58*4d7e907cSAndroid Build Coastguard Worker credentialStore_ = android::waitForDeclaredService<IIdentityCredentialStore>(
59*4d7e907cSAndroid Build Coastguard Worker String16(GetParam().c_str()));
60*4d7e907cSAndroid Build Coastguard Worker ASSERT_NE(credentialStore_, nullptr);
61*4d7e907cSAndroid Build Coastguard Worker halApiVersion_ = credentialStore_->getInterfaceVersion();
62*4d7e907cSAndroid Build Coastguard Worker }
63*4d7e907cSAndroid Build Coastguard Worker
64*4d7e907cSAndroid Build Coastguard Worker void provisionData();
65*4d7e907cSAndroid Build Coastguard Worker
66*4d7e907cSAndroid Build Coastguard Worker void provisionSingleDocument(const string& docType, vector<uint8_t>* outCredentialData,
67*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t>* outCredentialPubKey);
68*4d7e907cSAndroid Build Coastguard Worker
69*4d7e907cSAndroid Build Coastguard Worker // Set by provisionData
70*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> credential1Data_;
71*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> credential1PubKey_;
72*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> credential2Data_;
73*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> credential2PubKey_;
74*4d7e907cSAndroid Build Coastguard Worker
75*4d7e907cSAndroid Build Coastguard Worker sp<IIdentityCredentialStore> credentialStore_;
76*4d7e907cSAndroid Build Coastguard Worker int halApiVersion_;
77*4d7e907cSAndroid Build Coastguard Worker };
78*4d7e907cSAndroid Build Coastguard Worker
provisionData()79*4d7e907cSAndroid Build Coastguard Worker void PresentationSessionTests::provisionData() {
80*4d7e907cSAndroid Build Coastguard Worker provisionSingleDocument("org.iso.18013-5.2019.mdl", &credential1Data_, &credential1PubKey_);
81*4d7e907cSAndroid Build Coastguard Worker provisionSingleDocument("org.blah.OtherhDocTypeXX", &credential2Data_, &credential2PubKey_);
82*4d7e907cSAndroid Build Coastguard Worker }
83*4d7e907cSAndroid Build Coastguard Worker
provisionSingleDocument(const string & docType,vector<uint8_t> * outCredentialData,vector<uint8_t> * outCredentialPubKey)84*4d7e907cSAndroid Build Coastguard Worker void PresentationSessionTests::provisionSingleDocument(const string& docType,
85*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t>* outCredentialData,
86*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t>* outCredentialPubKey) {
87*4d7e907cSAndroid Build Coastguard Worker bool testCredential = true;
88*4d7e907cSAndroid Build Coastguard Worker sp<IWritableIdentityCredential> wc;
89*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(credentialStore_->createCredential(docType, testCredential, &wc).isOk());
90*4d7e907cSAndroid Build Coastguard Worker
91*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> attestationApplicationId;
92*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> attestationChallenge = {1};
93*4d7e907cSAndroid Build Coastguard Worker vector<Certificate> certChain;
94*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->getAttestationCertificate(attestationApplicationId, attestationChallenge,
95*4d7e907cSAndroid Build Coastguard Worker &certChain)
96*4d7e907cSAndroid Build Coastguard Worker .isOk());
97*4d7e907cSAndroid Build Coastguard Worker
98*4d7e907cSAndroid Build Coastguard Worker optional<vector<uint8_t>> optCredentialPubKey =
99*4d7e907cSAndroid Build Coastguard Worker support::certificateChainGetTopMostKey(certChain[0].encodedCertificate);
100*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(optCredentialPubKey);
101*4d7e907cSAndroid Build Coastguard Worker *outCredentialPubKey = optCredentialPubKey.value();
102*4d7e907cSAndroid Build Coastguard Worker
103*4d7e907cSAndroid Build Coastguard Worker size_t proofOfProvisioningSize = 106;
104*4d7e907cSAndroid Build Coastguard Worker // Not in v1 HAL, may fail
105*4d7e907cSAndroid Build Coastguard Worker wc->setExpectedProofOfProvisioningSize(proofOfProvisioningSize);
106*4d7e907cSAndroid Build Coastguard Worker
107*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->startPersonalization(1 /* numAccessControlProfiles */,
108*4d7e907cSAndroid Build Coastguard Worker {1} /* numDataElementsPerNamespace */)
109*4d7e907cSAndroid Build Coastguard Worker .isOk());
110*4d7e907cSAndroid Build Coastguard Worker
111*4d7e907cSAndroid Build Coastguard Worker // Access control profile 0: open access - don't care about the returned SACP
112*4d7e907cSAndroid Build Coastguard Worker SecureAccessControlProfile sacp;
113*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->addAccessControlProfile(1, {}, false, 0, 0, &sacp).isOk());
114*4d7e907cSAndroid Build Coastguard Worker
115*4d7e907cSAndroid Build Coastguard Worker // Single entry - don't care about the returned encrypted data
116*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->beginAddEntry({1}, "ns", "Some Data", 1).isOk());
117*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> encryptedData;
118*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(wc->addEntryValue({9}, &encryptedData).isOk());
119*4d7e907cSAndroid Build Coastguard Worker
120*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> proofOfProvisioningSignature;
121*4d7e907cSAndroid Build Coastguard Worker Status status = wc->finishAddingEntries(outCredentialData, &proofOfProvisioningSignature);
122*4d7e907cSAndroid Build Coastguard Worker EXPECT_TRUE(status.isOk()) << status.exceptionCode() << ": " << status.exceptionMessage();
123*4d7e907cSAndroid Build Coastguard Worker }
124*4d7e907cSAndroid Build Coastguard Worker
125*4d7e907cSAndroid Build Coastguard Worker // This checks that any methods called on an IIdentityCredential obtained via a session
126*4d7e907cSAndroid Build Coastguard Worker // returns STATUS_FAILED except for startRetrieval(), startRetrieveEntryValue(),
127*4d7e907cSAndroid Build Coastguard Worker // retrieveEntryValue(), finishRetrieval(), setRequestedNamespaces(), setVerificationToken()
128*4d7e907cSAndroid Build Coastguard Worker //
TEST_P(PresentationSessionTests,returnsFailureOnUnsupportedMethods)129*4d7e907cSAndroid Build Coastguard Worker TEST_P(PresentationSessionTests, returnsFailureOnUnsupportedMethods) {
130*4d7e907cSAndroid Build Coastguard Worker if (halApiVersion_ < 4) {
131*4d7e907cSAndroid Build Coastguard Worker GTEST_SKIP() << "Need HAL API version 4, have " << halApiVersion_;
132*4d7e907cSAndroid Build Coastguard Worker }
133*4d7e907cSAndroid Build Coastguard Worker
134*4d7e907cSAndroid Build Coastguard Worker provisionData();
135*4d7e907cSAndroid Build Coastguard Worker
136*4d7e907cSAndroid Build Coastguard Worker sp<IPresentationSession> session;
137*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(credentialStore_
138*4d7e907cSAndroid Build Coastguard Worker ->createPresentationSession(
139*4d7e907cSAndroid Build Coastguard Worker CipherSuite::CIPHERSUITE_ECDHE_HKDF_ECDSA_WITH_AES_256_GCM_SHA256,
140*4d7e907cSAndroid Build Coastguard Worker &session)
141*4d7e907cSAndroid Build Coastguard Worker .isOk());
142*4d7e907cSAndroid Build Coastguard Worker
143*4d7e907cSAndroid Build Coastguard Worker sp<IIdentityCredential> credential;
144*4d7e907cSAndroid Build Coastguard Worker ASSERT_TRUE(session->getCredential(credential1Data_, &credential).isOk());
145*4d7e907cSAndroid Build Coastguard Worker
146*4d7e907cSAndroid Build Coastguard Worker Status result;
147*4d7e907cSAndroid Build Coastguard Worker
148*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> signatureProofOfDeletion;
149*4d7e907cSAndroid Build Coastguard Worker result = credential->deleteCredential(&signatureProofOfDeletion);
150*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
151*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(IIdentityCredentialStore::STATUS_FAILED, result.serviceSpecificErrorCode());
152*4d7e907cSAndroid Build Coastguard Worker
153*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> ephemeralKeyPair;
154*4d7e907cSAndroid Build Coastguard Worker result = credential->createEphemeralKeyPair(&ephemeralKeyPair);
155*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
156*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(IIdentityCredentialStore::STATUS_FAILED, result.serviceSpecificErrorCode());
157*4d7e907cSAndroid Build Coastguard Worker
158*4d7e907cSAndroid Build Coastguard Worker result = credential->setReaderEphemeralPublicKey({});
159*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
160*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(IIdentityCredentialStore::STATUS_FAILED, result.serviceSpecificErrorCode());
161*4d7e907cSAndroid Build Coastguard Worker
162*4d7e907cSAndroid Build Coastguard Worker int64_t authChallenge;
163*4d7e907cSAndroid Build Coastguard Worker result = credential->createAuthChallenge(&authChallenge);
164*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
165*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(IIdentityCredentialStore::STATUS_FAILED, result.serviceSpecificErrorCode());
166*4d7e907cSAndroid Build Coastguard Worker
167*4d7e907cSAndroid Build Coastguard Worker Certificate certificate;
168*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> signingKeyBlob;
169*4d7e907cSAndroid Build Coastguard Worker result = credential->generateSigningKeyPair(&signingKeyBlob, &certificate);
170*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
171*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(IIdentityCredentialStore::STATUS_FAILED, result.serviceSpecificErrorCode());
172*4d7e907cSAndroid Build Coastguard Worker
173*4d7e907cSAndroid Build Coastguard Worker result = credential->deleteCredentialWithChallenge({}, &signatureProofOfDeletion);
174*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
175*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(IIdentityCredentialStore::STATUS_FAILED, result.serviceSpecificErrorCode());
176*4d7e907cSAndroid Build Coastguard Worker
177*4d7e907cSAndroid Build Coastguard Worker vector<uint8_t> signatureProofOfOwnership;
178*4d7e907cSAndroid Build Coastguard Worker result = credential->proveOwnership({}, &signatureProofOfOwnership);
179*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
180*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(IIdentityCredentialStore::STATUS_FAILED, result.serviceSpecificErrorCode());
181*4d7e907cSAndroid Build Coastguard Worker
182*4d7e907cSAndroid Build Coastguard Worker sp<IWritableIdentityCredential> writableCredential;
183*4d7e907cSAndroid Build Coastguard Worker result = credential->updateCredential(&writableCredential);
184*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, result.exceptionCode());
185*4d7e907cSAndroid Build Coastguard Worker EXPECT_EQ(IIdentityCredentialStore::STATUS_FAILED, result.serviceSpecificErrorCode());
186*4d7e907cSAndroid Build Coastguard Worker }
187*4d7e907cSAndroid Build Coastguard Worker
188*4d7e907cSAndroid Build Coastguard Worker // TODO: need to add tests to check that the returned IIdentityCredential works
189*4d7e907cSAndroid Build Coastguard Worker // as intended.
190*4d7e907cSAndroid Build Coastguard Worker
191*4d7e907cSAndroid Build Coastguard Worker GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(PresentationSessionTests);
192*4d7e907cSAndroid Build Coastguard Worker INSTANTIATE_TEST_SUITE_P(
193*4d7e907cSAndroid Build Coastguard Worker Identity, PresentationSessionTests,
194*4d7e907cSAndroid Build Coastguard Worker testing::ValuesIn(android::getAidlHalInstanceNames(IIdentityCredentialStore::descriptor)),
195*4d7e907cSAndroid Build Coastguard Worker android::PrintInstanceNameToString);
196*4d7e907cSAndroid Build Coastguard Worker
197*4d7e907cSAndroid Build Coastguard Worker } // namespace android::hardware::identity
198